I have a realm that has both username+pw form enabled and also option to login via an external IDP. I understand that in order to enable TOTP I have to enable it at Realm->Authentication->Required actions and set to enabled. That will configure any new users with a required action to Configure OTP. Some users use IDP and some use pw. I want to set all existing users to Configure OTP but only when they are loggin in using password. If a user is set to Configure OTP but logs in via IDP I want to skip that, and only execute the required action if they use pw to login. How can this be setup ?
The default browser flow may already achieve what you are describing. The Identity Provider Redirector step is alternative, so is the forms step. So either one will fully authenticate the user.
Have you tried the default browser flow with your use case?
We are using the default browser flow. If a user is setup and has the Configure OTP required action, then it is still enforced with the user uses IDP to login. Once they configure it they can then login using IDP and it won’t prompt for TOTP. However, I only want to enforce TOTP configuration if that user uses username and password to login (as IDP already has MFA). Basically I want it to ignore the Configure OTP action if logging in via IDP but that can still remain on their account as a required action incase they use the password-reset create a password and use that to login at a later time
I don’t think that is possible out of the box with Keycloak. I think you would have to develop your own custom OTP required action to achieve that.
In case you are still having the issue, you can modify the browser flow. By setting ‘Browser - conditional OTP’ to required, all keycloak users need an OTP, while the IDP users are unaffected