How to configure step-up authentication when using an external IDP as 2nd Factor ?

Solution Verified - Updated -


Step-up authentication is working fine when using as a 2nd condition OTP. In this case the access token has the ACR value set to level 2.

But when the 2nd condition is external IDP, the ACR value level remains at level 1, although it should have been set to level 2.


  • Red Hat Single Sign-On (RH-SSO)
    • 7.x
  • Step-up Authentication
  • Access Token ACR value
  • External IDP

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content