Hi,
I’m totally confused with the conditional flow… I’m looking to make a conditional flow where keycloak has to decide which MFA to use GAuth or SMS or totally skip MFA
The base flow I want is
- If user is in OTP_SMS role then use SMS MFA
- if user is OTP_DISABLED role then skip
- for all others use GAuth
I tried different flow combinations unsuccessfully… also had trouble with “Conditional OTP Form” for the disabled role so I created a provider for “User not in role”
The first flow I did was the pic-1 but it didn’t accomplish what I wanted, the issues were
- SMS flow is executed but then the user is asked for GAuth OTP
- If a user has no OTP configured and doesn’t belong to any exception roles; he’s not asked to configure OTP and instead he’s logged in successfully…
This is the latest flow I came up with… and it has several issues
- the SMS flow is executed even if the user is not OTP_SMS role!
- Users that must use GAuth are only prompted for SMS code!
- users in OTP_DISABLED are prompted for Gauth configuration…
Turning on debug mode shows that the condition “User IN Role” is not even executed, the flow goes directly from auth-username-password-form to sms-authenticator without executing the condition…
Any help would be appreciated
