TOTP Conditional on Composite role does not prompt for TOTP

I am trying to build a custom Browser Authentication flow where the conditional TOTP is based on a single composite role. This is so that we can define realm roles that require MFA by including them in a top level composite role, let’s call it mfa_enabled.

Let’s say we have role ADMIN, SUPPORT, and USER. Where ADMIN and SUPPORT require MFA but USER does not. Given this I created a composite role named “mfa_enabled” which has included roles of ADMIN and SUPPORT.

However, I noticed a few issues when trying to do this that maybe someone can help with.

1. Existing users who have ADMIN and SUPPORT roles do not have the “mfa_enabled” composite role on them and requesting roles via the API does not return it. Why do composite roles not show up retroactively or at all?
2. Setting the required role for TOTP in the browser flow as “mfa_enabled” does not show the setup of TOTP on users that have ADMIN and SUPPORT. But changing it to require TOTP on the ADMIN role to test does bring up the setup TOTP. Is this because the user does not have the composite role on it or it this because this flow just does not work with composite roles?

Any help would be appreciated.

I think you mixed up how a composite role is created and how it works.
Not the mfa_enabled role must contain ADMIN and SUPPORT, but vice-versa. The roles ADMIN and SUPPORT have each to contain mfa_enabled as an associated role. This way, a user having the role ADMIN inherits also the role mfa_enabled.

Wow yes I definitely mixed this up. Thank you for helping clarify this. I went back and added mfa_enabled as an associated role inside ADMIN and SUPPORT. Now TOTP on the condition of having the mfa_enabled role works as expected.
Thank you @dasniko .