We are using keycloak as identity broker to different IdPs. We would like to implement different classes of authentication, for example authentication with passport (eID) has the highest confidence level (reliability) authentication with other methods have medium confidence level. Each client within the realm accepts authentication with high confidence level. Some clients also accept authentication with medium confidence level.
If a user is logged in with medium confidence level and calls an application which needs high confidence level, after an authentication request of this application the user should be requested to login again with a method of authentication with high confidence level.
Is it possible to implement this behavior with keycloak and if so how?
If have read this post :Keycloak - Identity providers and clients - Stack Overflow
But here I did not see any reason for not using different realms.
We want, that a person who is logged on with high confidence level can use any application whereas a person who is logged on with medium confidence level can only access certain clients within the SSO session and has to login with higher confidence level for the other clients.