Problem Summary:
I’m using Microsoft Office 365 as a SAML client for Keycloak version 15.02. I’m enforcing MFA for Office 365 sign-ins with an authentication flow. Everything, including MFA, works as expected when I sign into Office 365 using web based authentication. But when I sign into Office 365 using a “legacy” protocol such as IMAP or POP3, the authentication flow assigned to the Office 365 client in Keycloak is ignored, and I can authenticate without the MFA being enforced.
The Office 365 federation metadata includes the following lines that may be relevant:
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/login.srf" index="0" isDefault="true"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://login.microsoftonline.com/login.srf" index="1"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://login.microsoftonline.com/login.srf" index="2"/>
I believe that the last PAOS binding
indicates the use of the SAML Enhanced Client or Proxy (ECP) profile which is supported by Keycloak according to the docs.
If my conjecture is correct, is there any way to disable the SAML ECP profile in Keycloak or this particular client? Or is it possible to create an authentication flow that works with the SAML ECP profile?
Separately, are there logs that show which path through the authentication flow a request follows?
Thanks much