Keycloak: enable 2FA for various goups

abockhold · August 19, 2025, 4:48pm

Hello,

some time ago I activated 2FA for the group “Domain Admins” as described under 4. Configuration — Univention Keycloak app manual 26.3.1

$ univention-keycloak 2fa enable --group-2fa "Domain Admins"

As far as I remember that worked without problems.

Now I wanted to activate it for the group “Domain Users”:

$ univention-keycloak 2fa enable --group-2fa "Domain Users"

Then I get:

Enabling 2FA ...
Using KC_URL: https://sso.mydomain.de/
Group already exists
Group already exists
Deleted:  2fa-browser
Traceback (most recent call last):
  File "/usr/sbin/univention-keycloak", line 3450, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/sbin/univention-keycloak", line 3446, in main
    return opt.func(opt) or 0
           ^^^^^^^^^^^^^
  File "/usr/sbin/univention-keycloak", line 2705, in enable_2fa
    create_conditional_2fa_flow(opt, kc_admin, opt.realm, realm_2fa_role, flow_name)
  File "/usr/sbin/univention-keycloak", line 2940, in create_conditional_2fa_flow
    kc_admin.create_authentication_flow_execution(payload=payload, flow_alias=master_subflow)
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 3184, in create_authentication_flow_execution
    return raise_error_from_response(data_raw, KeycloakPostError, expected_codes=[201])
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 192, in raise_error_from_response
    raise error(

Probably that’s not expected.

After this I can see that in the Keycloak console the group “Domain Users” has the entry “2FA role” in “Role Mappings”. But nevertheless, somehting seems to be broken.

Regards

peichert · August 20, 2025, 8:52am

Hey @abockhold

I understood, that you want to enable “Domain Admins” and “Domain Users” at the same time for 2FA within UCS. But the current implementation allows only one group for 2FA. So you have these options:

If you plan to change 2FA from one group to an other, then deactivate the 2FA first, as outlined in the documentation: 4. Configuration — Univention Keycloak app manual 26.3.1
To work around this problem, I suggest having just one group, for example “force-2fa”, and adding all users who want and really expect 2FA to it.

Note: For Nubus on Kubernetes we have the same problem and propose to delete the old flow in Keycloak (see Bug 58462)

abockhold · August 20, 2025, 5:00pm

Thanks for your in-depth answer! Maybe you should add the current restriction to activating it on max one group in the - besides this very good - documentation?!

What can I do to make it function again now? Just delete the added “2FA role” on all groups and start from the beginning?

Or could I delete the “2FA role” on all groups and use the “standard Keycloak” ways to activate 2FA, too?