Force 2FA for social IdP : does not work with a post-login flow


We would like to use Google or Microsoft IdP.
That works fine.
BUT we would like also to force 2FA while getting authenticated thanks to these social IdP.

→ How to correctly proceed ?

We tried to configure a post-login flow like this:

BUT we got the error below ==> Why ?

(context : KeyCloak 11.0.3 - docker image)

A workarround is just to keep the OTP form without any condition

You could try using a Conditional OTP Form.

Create a Role, add a " Identity Provider Mapper" to the identity providers and the mapper set to “Hardcoded Role” and select the created role.

In the config of the Conditional OTP Form you add the new role to “Force OTP for Role”.

In your setup, i guess it could be set up as the top level, and set to Required, if it doesn’t have it, it would skip it, unless you set “Fallback OTP handling” to other than skip.

1 Like

Yes it works also