How to specify authentication flow for SAML ECP profile

glugy · August 31, 2021, 9:50pm

Problem Summary:
I’m using Microsoft Office 365 as a SAML client for Keycloak version 15.02. I’m enforcing MFA for Office 365 sign-ins with an authentication flow. Everything, including MFA, works as expected when I sign into Office 365 using web based authentication. But when I sign into Office 365 using a “legacy” protocol such as IMAP or POP3, the authentication flow assigned to the Office 365 client in Keycloak is ignored, and I can authenticate without the MFA being enforced.

The Office 365 federation metadata includes the following lines that may be relevant:

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/login.srf" index="0" isDefault="true"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://login.microsoftonline.com/login.srf" index="1"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://login.microsoftonline.com/login.srf" index="2"/>

I believe that the last PAOS binding indicates the use of the SAML Enhanced Client or Proxy (ECP) profile which is supported by Keycloak according to the docs.

If my conjecture is correct, is there any way to disable the SAML ECP profile in Keycloak or this particular client? Or is it possible to create an authentication flow that works with the SAML ECP profile?

Separately, are there logs that show which path through the authentication flow a request follows?

Thanks much

jangaraj · September 1, 2021, 7:17am

How it works, when you change browser flow to MFA flow on the realm level, not on the client level?

glugy · September 1, 2021, 4:41pm

For testing, I’ve removed the Authentication Flow Override from the client settings. Now the Office 365 client should be using the standard “Browser” authentication flow. With these settings, I still see the same behavior. With web based logins, the authentication flow is followed, and MFA works properly. But with “legacy” (POP/IMAP) logins, the authentication flow is bypassed, and I’m able to successfully authenticate without MFA. I’ve included a screenshot of the browser authentication flow from which I’m testing.

Thank you!

browser_flow|690x233

jangaraj · September 1, 2021, 8:53pm

Try to play with other flows/bindings and try to identify which flow is executed for ECP request.

glugy · September 1, 2021, 9:26pm

I appreciate your willingness to assist me with this. I should have mentioned that I have tried to either disable authentication all together, or to enforce MFA in the other “default” authentication flows. The Direct Grant, First Broker Login, and Http Challenge are all configured to require MFA. Reset Credentials, Docker Auth, Clients, and Registration don’t allow MFA to be configured, but they’re setup such that an ECP request should fail if it were to use one of them.

jangaraj · September 1, 2021, 10:21pm

Then it sounds like a Keycloak issue. Check Jira for existing issues, eventually open new issue for this problem.

Topic		Replies	Views
Selectively setting MFA based on user location Configuring the server authentication , oidc , saml	2	1561	October 30, 2020
Browserless IdP-initiated SAML login Getting advice authentication , saml	0	106	January 8, 2024
Using Keycloak as IDP for Office365 and SharePoint Online Configuring the server authentication , saml	6	3289	March 22, 2024
KeyCloak with Multiple Office 365 tenants Getting advice	0	1703	October 15, 2019
Keycloak and SAML authncontext authentication , identity-brokering , saml	0	50	March 26, 2024

How to specify authentication flow for SAML ECP profile

Related Topics