Selectively setting MFA based on user location

Greetings, I would like some feedback on a Keycloak setting, based on specific requirements from my company:

  • We have an intranet where users access applications (deployed inside or outside our company) using only their credentials (username/password). They can only enter use this environment via VPN (or directed connected to our corporate network, which is no longer the usual scenario after COVID).
  • Those users can also access those application in the internet, without the VPN - but in this case a TOTP is also required, so they need their mobile device properly set.

We created distinct Keycloak clusters for this setting. They attend on the same server name in the intranet and internet, and were configured with the same certificates, realms and clients (the Internet Realm requires MFA). We are using SAML 2.0 and it works fine.

But with this setting we cannot use OIDC (which is our preference) for apps deployed in the cloud, as the backchannel calls are not valid for intranet users (they would authenticate in our internal IDP, but the SP would call back our external IDP for validation).

We are trying to evaluate other possibilities to circumvent this issue: for instance, setting up a single cluster only in the cloud that would require MFA based on user location - is that feasible? Other suggestions?

Just found a possible setting, by customising Browser Flow (in Authentication) and using Conditional OTP Form. It provides the option to force or skip OTPs based on HTTP headers (which can be used to detect if users are coming from intranet).

I’m trying to do this. The goal is to ask for the OTPs just for new devices (login in a different computer), but when I didn’t find a way to add or configure the HTTP headers. Initially, I tried to use Cookie as required but it didn’t work.