WebAuthN MFA with SAML Fails (Keycloak v23.0.6)

BradleyS · March 27, 2025, 9:06am

In my use-case we are using a SAML client to log in on our application. Everything works fine without MFA credentials being stored and used. We are testing adding both OTP and WebAuthN as MFA options. The OTP flow works fine to register and sign-in. The SAML assertions are built and passed through just like in our flows without MFA.

However, using WebAuthN does not seem to work for some reason. Requiring a user to set up WebAuthN on login works fine as this is just the registration process. The SAML assertions are built and passed successfully after username/password entry and WebAuthN registration.

Upon trying to use the WebAuthN credential on the subsequent sign-in the SAML assertion fails to fully build, resulting in our system erroring out.

The SAML assertion when intercepted shows:

<samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />
  </samlp:StatusCode>
</samlp:Status>

With the Keycloak error stating things like error="rejected_by_user" and web_authn_authentication_error="webauthn-error-user-not-found":

2025-03-27 04:06:31,233 WARN [org.keycloak.events] (executor-thread-80) type="LOGIN_ERROR", realmId="8e87efd9-21cb-4031-adb3-0b79c4d47ce3",
clientId="realm-saml", userId="null", ipAddress="", error="rejected_by_user", credential_type="webauthn", auth_method="saml",
web_authn_authentication_error="webauthn-error-user-not-found", web_authn_authenticated_user_id="9fbd91c5-9487-45ee-86ce-a5ecf825b047", redirect_uri="https://serverName/login/saml2/sso/realm-saml", code_id="c8cd6152-df20-4da5-a766-960fa8dda353"

The error above doesn’t exactly make sense though given we completed the WebAuthN check so it was not “rejected_by_user” technically and the user with that ID does exist as I just got past the username and password section successfully for that user.

This is the basic test flow we are using with just WebAuthN in the browser flow. Note, we have also tried removing the role condition check and just having username/password with the next step being an enforced WebAuthN check and this has the same issue.

We have tried different forms of WebAuthN and setting the Relying Party ID and Name to our frontend URL base host name but those did not help.

If anyone has some insight it would be appreciated.

bpedersen2 · March 27, 2025, 12:48pm

To cut SAML out the picture for debugging, does WebAuthN login to the account console work?

BradleyS · March 27, 2025, 2:24pm

@bpedersen2 I tested and yes WebAuthN with that flow above works to log into the account console for that realm. But once I move to SAML there is the issue.

Topic		Replies	Views
Failed to verify saml assertion by hash Getting advice saml	0	235	February 19, 2024
Keycloak Invalid parameter: redirect_uri for SAML Request Getting advice saml	0	36	January 29, 2025
Is IDP initiated flow broken? Getting advice saml	4	1892	February 3, 2022
How to specify authentication flow for SAML ECP profile Getting advice authentication , saml	5	1355	September 1, 2021
RFC 7522 Support? Configuring the server authentication	2	1243	June 2, 2022

WebAuthN MFA with SAML Fails (Keycloak v23.0.6)

Related topics