In our Keycloak setup, I would like to enforce MFA for clients using an external IdP to ensure our company meets certain security standards. However, some of our clients have an IdP that already uses MFA, and we would like to avoid pushing our own MFA solution on them if they have it enabled. How can I get Keycloak to check that they have step-up authentication setup in their external IdP, so that if they have it, I can skip our inhouse MFA, or make them authenticate with our MFA if they do not have it. Is there also a way for Keycloak to request ACR value when it communicates with the external IdP?
AFAIK you can’t really request an ACR value to be returned. This depends on the external IdP if it supports ACR and if it maps the information to the token.
There’s the amr claim, which holds the information, how the user authenticated, but this is also not mandatory. Keycloak for example doesn’t map the information into the tokens by default, one would have to extend Keycloak and its authenticators to be able to handle this value.