Configuration for LDAP based Federation

Configuration for SAML SSO based Auth

Configuration for 2FA

If using LDAP the LDAP may need to be WRITABLE (just in keycloak config not needed in ldap if storing 2fa data in keycloak DB) To let admins reset users 2fa configs.

In keycloak admin under the IDHUB realm

go to Configure/Authentication

In Flows

Set OTP Form to Required to enable 2FA with default settings.