Hi there, I posted in a chain on another thread but maybe starting a new topic might help.
I am utilising a saml based browser flow for authorisation and single sign on. This works like a charm no problem. I go from my application, GitHub in this instance, redirected to my realm at Keycloak. Select the IDP that I have setup and login successfully.
I now would like to add an additional step to allow some RBAC based rules for access, i.e. if a user does not have a certain role then deny access. I followed this step by step tutorial to create a conditional flow:
https://www.keycloak.org/docs/latest/server_admin/#explicitly-deny-allow-access-in-conditional-flows
However, no matter whether the user has the role or not, login is successful. It seems that the final new conditions added in are not evaluated and skipped entirely.
I have checked that the authentication flow override is setup correctly by disabling steps and the SSO flow fails entirely. This confirms that my client is correctly linked to the new flow.
It seems like it should be fairly straight forward, so I’m assuming I’ve missed something simple.
Any help would be greatly appreciated.
Thanks,
Rob