How to specify authentication flow for SAML ECP profile

Problem Summary:
I’m using Microsoft Office 365 as a SAML client for Keycloak version 15.02. I’m enforcing MFA for Office 365 sign-ins with an authentication flow. Everything, including MFA, works as expected when I sign into Office 365 using web based authentication. But when I sign into Office 365 using a “legacy” protocol such as IMAP or POP3, the authentication flow assigned to the Office 365 client in Keycloak is ignored, and I can authenticate without the MFA being enforced.

The Office 365 federation metadata includes the following lines that may be relevant:

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="0" isDefault="true"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="" index="1"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="" index="2"/>

I believe that the last PAOS binding indicates the use of the SAML Enhanced Client or Proxy (ECP) profile which is supported by Keycloak according to the docs.

If my conjecture is correct, is there any way to disable the SAML ECP profile in Keycloak or this particular client? Or is it possible to create an authentication flow that works with the SAML ECP profile?

Separately, are there logs that show which path through the authentication flow a request follows?

Thanks much

How it works, when you change browser flow to MFA flow on the realm level, not on the client level?

For testing, I’ve removed the Authentication Flow Override from the client settings. Now the Office 365 client should be using the standard “Browser” authentication flow. With these settings, I still see the same behavior. With web based logins, the authentication flow is followed, and MFA works properly. But with “legacy” (POP/IMAP) logins, the authentication flow is bypassed, and I’m able to successfully authenticate without MFA. I’ve included a screenshot of the browser authentication flow from which I’m testing.

Thank you!


Try to play with other flows/bindings and try to identify which flow is executed for ECP request.

I appreciate your willingness to assist me with this. I should have mentioned that I have tried to either disable authentication all together, or to enforce MFA in the other “default” authentication flows. The Direct Grant, First Broker Login, and Http Challenge are all configured to require MFA. Reset Credentials, Docker Auth, Clients, and Registration don’t allow MFA to be configured, but they’re setup such that an ECP request should fail if it were to use one of them.

Then it sounds like a Keycloak issue. Check Jira for existing issues, eventually open new issue for this problem.