[keycloak-user] Enable X.509 Client Certificate User Authentication only to specific realm

[roberto palmarin]

Hi, my goal is to have services that authenticate with user and password and services that authenticate with X509 certificate.
Moreover, if I am authenticated with the certificate, I no longer have to authenticate with username and password.

I have seen that the SAML parameter authnContextClassRef is not supported by kexcloak, which would allow to force the authentication method!

I then tried to create new realms and use one realm for authentication with username/password and the other realm for X509 mutual authentication.
The question is how can I disable X509 mutual authentication for a realm on keycloak? the configuration for mutual authentication is at the wildfly level and not at the realm level nor at the client keycloak level.
is it possible to have the correct value of authnContextClassRef in the keycloak SAML response?

Thank'sRoberto Palmarin