How to set ACR values with external identity provider

Securing applications
1

Hi, I have configured an external identity provider (Norwegian one, Signicat, BankID), and they require “acr_value” set as query parameter to the authorize call.

This is the request parameter I would like to add: acr_values=urn:signicat:oidc:method:nbid

Example of a valid authorize URL:

https://preprod.signicat.com/oidc/authorize?response_type=code&scope=openid+profile&client_id=<client_id>&redirect_uri=https://labs.signicat.com/redirect&state=123abc&acr_values=urn:signicat:oidc:method:nbid

The issue is that I can’t see where and how I can set it in Keycloak UI when I configuring the identity provider. I downloaded the Keycloak source to look if I found anything there, and I see it in AbstractOAuth2IdentityProvider class (

acrvalue
acrvalue2000×1095 515 KB
) but I don’t see how I can set that value in Keycloak UI to make it work.

In advance thanks for help

2

Hi

My understanding is that ACR value cannot be set based on the target IDP.
In the code above, you can see that ACR values is not read from getConfig() which contains the parameters that you can set through the GUI at the “Identity Provider” level.
ACR must be set in the initial URL that the client uses at the beginning.
That’s a pity because I wanted to do exactly the same thing : I have a federation with 2+ IDPs and I wanted to force one of the IDP to make a MFA regardless of the client_id
Alas, I think Keycloak does not support this at the moment.

Regards

3

An idea

Why don’t you add your acr_value argument at the end of the authorization URL ?

Something like “xxxx/protocol/openid-connect/auth?acr_values=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fmulti-factor”