I have the below setup
My application— Keycloak— IDP
Now I want to skip MFA for IDP users.
Currently when a new user logs in on the keycloak user console the user can setup a th otp by scanning th QR code and since I have condition on 2fa flow that will only execute if either the recovery codes or the otp is configured
Therefore if I can restrict my IDP users from
Logging in on the user console then I can achieve this since then they won’t be able to configure the QR code or the recovery codes
Why would you want to strip the users from the choice to make their account more secure?
If your users use an external IdP, the regular browser auth flow ist not used by this user. Once they are redirected to the external IdP, the browser flow is finished. When they come back to Keycloak from the IdP, the browser flow will not be continued. Unless you don’t have configured a so called post login flow for being used with the external IdP, your users are just being logged in to Keycloak.
So, even if they would configure an OTP in Keycloak, they simply wouldn’t use it.