diff --git a/docs/dev/authentication-flow-toggle-maps.md b/docs/dev/authentication-flow-toggle-maps.md index 29a8a828..c0c10d7b 100644 --- a/docs/dev/authentication-flow-toggle-maps.md +++ b/docs/dev/authentication-flow-toggle-maps.md @@ -10,7 +10,7 @@ See the [Authentication Flow Customization](../reference/UDS%20Core/IdAM/authent | [X509_LOGIN_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L22) | Control whether X509 ( CAC ) Login block is included on the login and registration pages. | `true`(default), `false`| | [USERNAME_PASSWORD_AUTH_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L23) | Control whether Username Password Login block is included on the login and registration pages. This will also control the realm configuration for updating passwords or setting a new password from users account management. | `true`(default), `false`| | [REGISTER_BUTTON_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether the register button is included on the login page. | `true`(default), `false`| -| [WEBAUTHN_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether the `WebAuthn Passwordless Authenticator` pop-up shows the register new user. This can already be assumed since the WebAuthn is configured as an MFA. | `true`, `false`(default) | +| [WEBAUTHN_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L30) | Control whether the `WebAuthn Authenticator` pop-up shows the register new user. This can already be assumed since the WebAuthn is configured as an MFA. This also controls whether a user can delete a credential or not. | `true`, `false`(default) | ### Realm Configuration Definitions | Setting | Description | Options | @@ -19,12 +19,13 @@ See the [Authentication Flow Customization](../reference/UDS%20Core/IdAM/authent | [RESET_CREDENTIAL_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L26) | Control whether a the Reset Credential Auth Flow can be reached by user to reset or set their password. | `REQUIRED`(default), `DISABLED` | | [REGISTRATION_FORM_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L27) | Control whether the registration form can be reached for a new registration. | `REQUIRED`(default), `DISABLED` | | [OTP_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L28) | Control whether One Time Password is allowed. | `true`(default), `false` | -| [OTP_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L28) | Control whether the OTP is required as an MFA method. | `REQUIRED`(default), `DISABLED` | -| [WEBAUTHN_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether the `WebAuthn Register Passwordless` required action is enabled. | `true`, `false`(default) | -| [WEBAUTHN_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether the `WebAuthn Register Passwordless` required action is enabled. | `REQUIRED`, `DISABLED`(default) | -| [X509_MFA_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether X509 Authentication flows can also require MFA. This configuration is used in the custom `Registration Validation` plugin. | `true`, `false`(default) | -| [X509_MFA_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether X509 Authentication flows require MFA. This is needed so that X509 MFA can be configured seperately from Username/Password MFA. | `REQUIRED`, `DISABLED`(default) | -| [MFA_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether the `MFA` authentication is required. | `REQUIRED`(default), `DISABLED` | +| [OTP_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L29) | Control whether the OTP is required as an MFA method. | `REQUIRED`(default), `DISABLED` | +| [WEBAUTHN_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L30) | Control whether the `WebAuthn Register` required action is enabled. | `true`, `false`(default) | +| [WEBAUTHN_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L31) | Control whether the `WebAuthn Register` required action is enabled. | `REQUIRED`, `DISABLED`(default) | +| [X509_MFA_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L32) | Control whether X509 Authentication flows can also require MFA. This configuration is used in the custom `Registration Validation` plugin. | `true`, `false`(default) | +| [X509_MFA_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L33) | Control whether X509 Authentication flows require MFA. This is needed so that X509 MFA can be configured seperately from Username/Password MFA. | `REQUIRED`, `DISABLED`(default) | +| [MFA_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L34) | Control whether the `MFA` authentication is required. | `true`(default), `false` | +| [MFA_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L35) | Control whether the `MFA` authentication is required. | `REQUIRED`(default), `DISABLED` | ### Common Configurations diff --git a/docs/reference/UDS Core/IdAM/upgrading-versions.md b/docs/reference/UDS Core/IdAM/upgrading-versions.md index 96cb3fa0..84a6bff8 100644 --- a/docs/reference/UDS Core/IdAM/upgrading-versions.md +++ b/docs/reference/UDS Core/IdAM/upgrading-versions.md @@ -78,6 +78,7 @@ If wanting to configure the MFA everywhere with both OTP and WebAuthn options, t - Enable the following `Required Actions`, only toggle the `Enabled` **DO NOT TOGGLE** `Set as default action`: - `Configure OTP` - `Webauthn Register` + - `Delete Credential` - Disable the `WebAuthn Register Passwordless`, make sure this is **not** the `WebAuthn Register` option ( this one should be enabled ) 3. The `UDS Authentication` authentication flow has undergone significant changes. - Click `Authentication` tab from left side menu diff --git a/src/realm.json b/src/realm.json index edc28f50..52efe258 100644 --- a/src/realm.json +++ b/src/realm.json @@ -3194,6 +3194,15 @@ "defaultAction": false, "priority": 1003, "config": {} + }, + { + "alias": "delete_credential", + "name": "Delete Credential", + "providerId": "delete_credential", + "enabled": "${MFA_ENABLED:false}", + "defaultAction": false, + "priority": 1006, + "config": {} } ], "browserFlow": "UDS Authentication", diff --git a/src/test/cypress/realm.json b/src/test/cypress/realm.json index cdc0feb1..1634f130 100644 --- a/src/test/cypress/realm.json +++ b/src/test/cypress/realm.json @@ -3227,6 +3227,15 @@ "defaultAction": false, "priority": 1003, "config": {} + }, + { + "alias": "delete_credential", + "name": "Delete Credential", + "providerId": "delete_credential", + "enabled": "${MFA_ENABLED:false}", + "defaultAction": false, + "priority": 1006, + "config": {} } ], "browserFlow": "UDS Authentication",