Hi
I set up google identity provider such that staff members can use the domain emails. In google 2fa is enforced but when I setup google as identity provider it does not use the google 2fa. Can this be configured/enforced?
Thanks
Hi
I set up google identity provider such that staff members can use the domain emails. In google 2fa is enforced but when I setup google as identity provider it does not use the google 2fa. Can this be configured/enforced?
Thanks
Hey @JasonS, I’d like to get some clarification.
Do you mean that when you setup Google OAuth2 as an identity provider in your Keycloak installation, users signing in through Google are not required to complete Google’s 2FA, or some sort of 2FA you setup in Keycloak?
I don’t think we can control Google’s 2FA policies. If it’s Keycloak 2FA, you may want to look at your flows.
Expert Keycloak user’s advice would also be greatly appreciated.
Hi,
Thanks for responding
Actually both (either) are not happening.
Was the test done with the user already logged in in google? The google 2Fa auth will only be required when loggin in at google. Once you are logged in 2Fa is not required to be repeated for every action on the google account (such as granting the login via oidc federation to keycloak). That is the point of single-sign on, you authenticate once and then don’t have to bother anymore.
And did you configure it? I would expect an additional second-factor request to happen then. (so if logged out at google as well:
Hi
Aaah you may have highlighted my issue. I was not thinking. I will logout completely from google and see if it requires the 2fa or not
Thanks