[keycloak-user] Using the amr claim in access token when brokering with Azure AD

Philippe Gauthier philippe.gauthier at inspq.qc.ca
Thu Nov 28 08:27:53 EST 2019


Hello Keycloak users.

Did anybody tried to do something with the amr claim sent by an IdP to Keycloak on identity brokering?

We did a POC using Azure AD as an IdP with Keycloak. Azure AD is configured to force user to do a multi factor authentication (MFA).

When I log to my application secured by Keycloak using my Azure AD identity The access token recieved by Keycloak from Azure AD contains the following amr claim:
"amr": [
    "pwd",
    "mfa"
  ],

This claim tell that I was authentified using a password and mfa.

When I look to the access Token Keycloak gave me, there is no such amr claim?
Is there a way other than creating an SPI to propagate this claim from Azure AD access token to Keycloak Access Token?

What we want to do is to ask a user that was not authentified by an external multi factor authenticfiation to use the Keycloak OTP when accessing sensible applications.

Thankyou.


More information about the keycloak-user mailing list