[keycloak-user] How does conditional OTP form work?
thomas.darimont at googlemail.com
Wed Nov 9 11:42:09 EST 2016
strange that the conditional OTP currently doesn't for you, when I wrote it
a few months back it worked quite well for us.
I didn't look at it for a while since I'm using a slightly different
authentication logic now which doesn't require the CondOTP anymore.
Let me know if I can help :)
2016-11-09 15:10 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
> We're currently looking at the conditional otp form as it seems to be
> broken. The way it should work is if it's required it's required only if
> otp is required depending on roles and headers. If it's optional it should
> only be required if user has configured OTP.
> On 9 November 2016 at 14:36, Georgobasiles, Georgios (AMOS SE) <
> GEORGIOS.GEORGOBASILES at allianz.de> wrote:
> > Dear all,
> > I’m trying out a scenario where users are forced into different login
> > flows depending on their browser’s user agent HTTP header: all users have
> > to log in over a SAML IP and, in addition, users who don’t use IE need to
> > go through an OTP form.
> > I’ve set up a SAML IP with a post login flow that consists of a single
> > “Conditional OTP Form” execution. For test purposes, the only condition
> > that execution is a “Skip OTP for Header” which is “User-Agent:.*MSIE.*”
> > with a fallback OTP handling to “force”.
> > I noticed that when the execution is marked as “required”, an OTP form is
> > always shown to the user regardless of their browser’s user agent and
> > it’s marked as “optional”, the user never gets to see the OTP form, so it
> > looks like the condition on the HTTP header is always ignored. What am I
> > missing?
> > version: 2.3.0 final
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
More information about the keycloak-user