[Auth.Flow] OTP based on incoming Claim/User Attribute?

Hey People,

the following scenario is given. :smiley:
Keycloak Version: 19.0.1
Identity Provider: ADFS Configured via OIDC Protocol

Claims send by IdP are email, given_name, family_name.
Mapper on Keycloak:
MapperType → Attribute Importer
SyncType → inherit
Claim Name → email, given_name, family_name
AttributeName → email, firstName, lastName, OTP

For testing, I’m using the account-console. Users have to configure OTP – Everything works fine to this point.

Now I would like to activate OTP for users depending on the Claims / Attributes I’m getting from the IDP.
For example:
If the User is in the MS AD Group “OTP” - ADFS Creates a Claim and sends this to the Keycloak Server, here I would have a Mapper with said Claim / Attribute.

I assumed that it’s needed to create a new Authentication Flow (?) and Link it to the IdPs “Post Login Flow”.

Within the Flow, I configured the following:

Under the Condition, AttributeName I would enter the Name of the Attribute from the created Mapper (?) :

Is this the right approache? Would this work if I set it as Post Login.
My expectations would be, if the User is in the right group (MS AD) he gets the OTP Form. And for Users that aren’t in the Group, they don’t get the OTP Form but still can login.

One Thing I noticed is, that if I enter the Attribute Name – a look afterward into the Config….sometimes it’s blank.

If i’m testing it like described and got the right Value – everything seems to work. But if I change the Value to something none existing (testing purpose) – I get “Incorrect username or Password”.

To Simplfy it , I used my firstName. If I enter my First Name in the condition as expected Value = Works, if i change it to Blablub = Error.

Am I missing something? :smiley:

Any Advice is appreciated