Hi
I set up google identity provider such that staff members can use the domain emails. In google 2fa is enforced but when I setup google as identity provider it does not use the google 2fa. Can this be configured/enforced?
Thanks
Hey @JasonS, I’d like to get some clarification.
Do you mean that when you setup Google OAuth2 as an identity provider in your Keycloak installation, users signing in through Google are not required to complete Google’s 2FA, or some sort of 2FA you setup in Keycloak?
I don’t think we can control Google’s 2FA policies. If it’s Keycloak 2FA, you may want to look at your flows.
Expert Keycloak user’s advice would also be greatly appreciated.
Hi,
Thanks for responding
Actually both (either) are not happening.
- Since our google emails have 2fa enabled on them I expected google would ask for the 2fa but they don’t
- I added OTP forms required and it does not seem to trigger the keycloak totp either. It did though ask me to configure this on the first login with google as identity provider.
Was the test done with the user already logged in in google? The google 2Fa auth will only be required when loggin in at google. Once you are logged in 2Fa is not required to be repeated for every action on the google account (such as granting the login via oidc federation to keycloak). That is the point of single-sign on, you authenticate once and then don’t have to bother anymore.
And did you configure it? I would expect an additional second-factor request to happen then. (so if logged out at google as well:
- google pw
- google second factor
- keycloak second factor
would be prompted.
Hi
Aaah you may have highlighted my issue. I was not thinking. I will logout completely from google and see if it requires the 2fa or not
Thanks