For each SAML client it is possible to send an AuthnRequest message via SOAP with Basic Authorization header and Keycloak will successfully authenticate the user for the client and will not consider the authentication flow applied. The presence of the flow is hidden from the administrator, it is not possible to disable it in the client's configuration similarly as direct grant etc. https://issues.redhat.com/browse/KEYCLOAK-19177
Issue can be replicated in RHSSO 7.5 hence I am marking it as affected/fix and creating tracker.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:0152 https://access.redhat.com/errata/RHSA-2022:0152
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:0151 https://access.redhat.com/errata/RHSA-2022:0151
This issue has been addressed in the following products: RHSSO 7.5.1 Via RHSA-2022:0155 https://access.redhat.com/errata/RHSA-2022:0155
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3827
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0164 https://access.redhat.com/errata/RHSA-2022:0164