MFA based on client IP / subnet

teverson · January 30, 2020, 1:36pm

New question, now that I got past my issues with SAML IdP configuration and checkSsl…

Can someone give me pointers (if it’s possible, even) as to how to configure two-factor / MFA based on client IP address / network?

In other words, can we enable multi-factor for login only if the client is coming from a public IP, versus from within a trusted internal subnet?

If so, links / pointers / steps?

Thanks.

teverson · January 30, 2020, 3:35pm

Been digging around and I’m thinking it’s similar to this:

gist.github.com

https://gist.github.com/thomasdarimont/ad3aa0e36d33d067dba2

ConditionalOtpFormAuthenticator.java

package org.keycloak.authentication.authenticators.browser;

import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;

import javax.ws.rs.core.MultivaluedMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;

This file has been truncated. show original

ConditionalOtpFormAuthenticatorFactory.java

package org.keycloak.authentication.authenticators.browser;

import org.keycloak.Config;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.provider.ProviderConfigProperty;

This file has been truncated. show original

helper.java

    // Used in various role mappers
    public static RoleModel getRoleFromString(RealmModel realm, String roleName) {
        String[] parsedRole = parseRole(roleName);
        RoleModel role = null;
        if (parsedRole[0] == null) {
            role = realm.getRole(parsedRole[1]);
        } else {
            ClientModel client = realm.getClientByClientId(parsedRole[0]);
            if (client != null) {
                role = client.getRole(parsedRole[1]);

This file has been truncated. show original

There are more than three files. show original

If not, please let me know if I’m on the right path, or if there’s an easier alternative already built in (would think this would be a ‘regularly asked for’ feature.

jsalatiel · June 1, 2020, 10:50pm

Were you able to make MFA based on client IP / subnet work ?

teverson · June 2, 2020, 12:44pm

I was not, no. (And yes, this is still a want / need, albeit, we’re getting by for now.)

Nikos410 · January 17, 2023, 6:26am

Hey, sorry for bumping this old thread.

I’ve opened a Pull Request implementing that feature: Add ConditionalAuthenticator based on the client IP address by Nikos410 · Pull Request #16453 · keycloak/keycloak · GitHub

Topic		Replies	Views
Selectively setting MFA based on user location Configuring the server authentication , oidc , saml	2	1561	October 30, 2020
Setup SAML2 Client Configuring the server identity-brokering , saml	0	345	November 17, 2020
How to specify authentication flow for SAML ECP profile Getting advice authentication , saml	5	1166	September 1, 2021
Conditional IdP Redirector or custom username followed by password login screens? Configuring the server	2	2454	April 6, 2021
SAML based Client- group Based Authentication Configuring the server	2	458	June 17, 2021

MFA based on client IP / subnet

Related Topics