New question, now that I got past my issues with SAML IdP configuration and checkSsl…
Can someone give me pointers (if it’s possible, even) as to how to configure two-factor / MFA based on client IP address / network?
In other words, can we enable multi-factor for login only if the client is coming from a public IP, versus from within a trusted internal subnet?
If so, links / pointers / steps?
Thanks.
Been digging around and I’m thinking it’s similar to this:
ConditionalOtpFormAuthenticator.java
package org.keycloak.authentication.authenticators.browser;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import javax.ws.rs.core.MultivaluedMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
This file has been truncated. show original
ConditionalOtpFormAuthenticatorFactory.java
package org.keycloak.authentication.authenticators.browser;
import org.keycloak.Config;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.provider.ProviderConfigProperty;
This file has been truncated. show original
helper.java
// Used in various role mappers
public static RoleModel getRoleFromString(RealmModel realm, String roleName) {
String[] parsedRole = parseRole(roleName);
RoleModel role = null;
if (parsedRole[0] == null) {
role = realm.getRole(parsedRole[1]);
} else {
ClientModel client = realm.getClientByClientId(parsedRole[0]);
if (client != null) {
role = client.getRole(parsedRole[1]);
This file has been truncated. show original
There are more than three files. show original
If not, please let me know if I’m on the right path, or if there’s an easier alternative already built in (would think this would be a ‘regularly asked for’ feature.
Were you able to make MFA based on client IP / subnet work ?
I was not, no. (And yes, this is still a want / need, albeit, we’re getting by for now.)