Don't want to type otp from PI when login using keycloak

Hello,
I used privacyidea plugin with keycloak, and it work fine.
the current configuration is:
when i login to my application using keycloak, and enter username and password, the keycloak redirect me to page to enter the OTP from privacyidea, when i enter the otp and click login it logged in to my application normal.

Now, I need to do this scenario:
I do not want the user to type the one-time password, I need to be verified through keycloak to verify the otp for the user from the Privacyidea and perform authentication together without typing the otp by user. how can i do it that?

i do not understand what you are trying to achieve. Can you rephrase it?

Yes,sure…

I’m using the Privacyidea plugin with Keycloak, and everything works fine.
The current usage of our keycloak is as follows:
I have a Zulp application. When I want to login to it, I use Keycloak (Image No. 1) with SAML. It redirect me to the Keycloak interface to enter the username and password (Image No. 2). After writing the username and password and pressing Login, it redirect me directly to another page to enter the Privacyidea OTP code (Image No. 3), after writing the code and pressing login, I login to Zulp successfully.

Now, I need to do this scenario:
I do not want the user to write the OTP code as in Image No. 3. I want Keycloak to verify the PrivacyIdea code automatically and perform authentication together without writing the OTP code by the user. How can I do that? I want the steps to be only image 1 and image 2, after which it will automatically verify the user without requesting an OTP code.

Image (1):

Bildschirmfoto vom 2024-05-29 22-19-48600×582 17.4 KB

Image(2):

Bildschirmfoto vom 2024-05-29 22-22-02600×582 18.2 KB

Image(3):

So if I understand you correctly, you want the systems “Keycloak” and “privacyIDEA” interact with each other without user interaction?

Then stop using privacyIDEA

The 2nd factor is ment to authenticate the user. So the login process needs an additional interaction with the user.

If you want to get rid of the interaction with the user, 2FA is not the correct scenario you are looking for.

Yes exactly, and to clarify further, I want to keep the user verification in PrivacyIdea as a 2FA, but I want keycloak to verify the user in privacyidea. If it exists in PrivacyIdea and has an activated token, it will login successfully without the need for the user to enter a OTP code.

So, what suitable scenario can you suggest for me?

You said what you want to do. Why do you want to do this?
But you should ask yourself, what you actually want to achieve.

So actually you want to manage access rights. A user is allowed to use keycloak or not.
Authentication for the user is simply done using his (ldap?) password.
This sounds more like authorization than like two factor authentication.

Hello,
I think you’ll need to set up direct OTP validation. Configure Keycloak to send OTPs received during login attempts directly to PrivacyIDEA for validation. This involves integrating Keycloak with PrivacyIDEA’s API securely. You may need to develop a custom Authenticator or use a plugin that handles OTP validation automatically within Keycloak.