Managing different confidence levels - not any IdP accepted by any client

gutschalk · October 17, 2023, 1:49pm

We are using keycloak as identity broker to different IdPs. We would like to implement different classes of authentication, for example authentication with passport (eID) has the highest confidence level (reliability) authentication with other methods have medium confidence level. Each client within the realm accepts authentication with high confidence level. Some clients also accept authentication with medium confidence level.
If a user is logged in with medium confidence level and calls an application which needs high confidence level, after an authentication request of this application the user should be requested to login again with a method of authentication with high confidence level.

Is it possible to implement this behavior with keycloak and if so how?

If have read this post :Keycloak - Identity providers and clients - Stack Overflow
But here I did not see any reason for not using different realms.
We want, that a person who is logged on with high confidence level can use any application whereas a person who is logged on with medium confidence level can only access certain clients within the SSO session and has to login with higher confidence level for the other clients.

embesozzi · October 17, 2023, 2:21pm

Keycloak supports the use of Authentication Context Class Reference (ACR), which is related to the Level of Authentication (LoA). It also supports step-up authentication, enabling web applications and APIs to require users to authenticate with a stronger mechanism when accessing sensitive resources.
You can find more information about mapping ACR to LoA in the Keycloak official documentation and in the OIDC standard that describes that.

Additionally, I have written an article which you may find useful.

Related to your last question, the application can force re-authentication even when the IdP considers that a user is authenticated to an acceptable level. In the OpenID Connect standard, this is done with the optional parameter prompt=login.

gutschalk · October 18, 2023, 3:49pm

Thank for the fast answer. We will dive into this solution in a few weeks.

Topic		Replies	Views
Multiple IDPs using RSA signed JWTs in one realm authentication , identity-brokering , oidc	0	392	March 21, 2022
Configuring an Identity Provider with Implicit Flow Configuring the server identity-brokering , oidc	12	9903	January 6, 2023
Support for oAuth2.0 identity provider Securing applications	7	1512	February 5, 2023
Configure allowed providers per client Getting advice	5	1156	June 23, 2020
Using Keycloak with several OIDC providers and several authorization services Getting advice authentication , ldap , oidc	0	384	October 6, 2021

Managing different confidence levels - not any IdP accepted by any client

Related Topics