feat: webauthn and mfa everywhere

[chance-coleman]

Description

This PR adds support for configuring WebAuthn MFA for x509 (CAC) users. Historically, our implementation assumed that when a user authenticated with x509, no further authentication (e.g., OTP or passkey) was necessary. However, feedback from certain environments indicated a requirement for MFA even for x509 users.

Key Changes

• Conditional MFA for x509 Users:
  We’ve introduced conditional logic in our custom registration validation plugin. This logic now allows administrators to optionally require MFA (via OTP and/or WebAuthn Register Passwordless) for x509 users. The new behavior is controlled via the environment variable X509_MFA_ENABLED. When enabled (set to true), the plugin adds the required actions for OTP and WebAuthn even for x509 users; otherwise, it applies these only to local (username/password) users.

• Environment Variable Mapping:
  The new configuration settings are mapped in the same manner as our existing realm and theme environment variables. For example, the following variables in our values.yaml/uds-bundle.yaml are now available:

  • X509_MFA_ENABLED: Controls whether x509 users must complete additional MFA.
  • OTP_ENABLED, WEBAUTHN_ENABLED, and the derived MFA_FLOW_ENABLED remain in place to allow flexible MFA configuration.

• Backward Compatibility:
  By default, the new behavior is disabled (i.e. X509_MFA_ENABLED=false) to ensure that existing deployments do not break. Administrators can enable it as needed for environments with stricter security requirements.

uds-core PR that needs to merge first

Testing

1. To setup our testing we need to do some manual changes first, comment out this line in the tasks file: https://github.com/defenseunicorns/uds-identity-config/blob/main/tasks.yaml#L111
2. then in the uds-identity-config directory we need to clone in uds-core and then checkout the correct branch with the changes in uds-core for this PR: git clone https://github.com/defenseunicorns/uds-core.git && cd uds-core && git checkout webauthn-mfa && cd ../
3. now we should have the default use-case of this new implementation and we can run uds run uds-core-integration-tests to get everything running
4. once everything has come up, verify that everything looks/feels/works as it used to ( there should be no changes by default )
5. Now to test the new variables and webauth flows change the new variables in the bundle in different combinations and see if anything breaks. For detailed docs on different configurations see this PR's dev/doc update - see the common configurations section at the very bottom.
6. after changes to bundle build and deploy again ( may be beneficial to comment out the cypress tests from the uds-core-integration-tests task as well as the monitoring bundle definition to speed things up)
7. There shouldn't be any admin portal configurations, so accessing sso.uds.dev should present any changes made.

Happy to pair on this and walk through it live

Related Issue

Fixes #236

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed

[slaskawi]

The PR LGTM with one small question inlined in the text.

I managed to get this working on MacOS using the Touch ID. Seems like a great MFA approach!

[mjnagel]

One more general comment just to make sure it's present here somewhere: This currently only adds webauthn support as an additional authentication factor. Users will need to have a separate "primary" auth factor (user/pass or x509) as well. While we could add support for "webauthn only" auth, we don't currently see the need for that - this could be reevaluated and supported in the need arose though.