Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Login MFA #1431

Closed
clintmod opened this issue May 2, 2022 · 7 comments · Fixed by #1620
Closed

Add support for Login MFA #1431

clintmod opened this issue May 2, 2022 · 7 comments · Fixed by #1620
Assignees
@benashz
Labels
auth-login enhancement
Milestone
3.9.0

Comments

@clintmod
Copy link

clintmod commented May 2, 2022

Add support for the new (1.10) Login MFA feature.
@benashz
Copy link
Contributor

benashz commented May 2, 2022

Hi @clintmod, just wanted to let you know that we currently have this feature in our back log. We have no ETA on its delivery as of yet. We'll update this issue once we know more.

Thanks,

Ben

@trodemaster
Copy link

I have attempted to configure this via the vault_generic_endpoint provider. It doesn't seem possible to do the vault write -field via that provider.

vault write -field method_id identity/mfa/method/okta org_name="$OKTA_ORG" api_token="$OKTA_TOKEN" base_url="$OKTA_BASE_URL" username_format="{{identity.entity.aliases.${OKTA_AUTH_ACCESSOR}.name}}@company.com"

resource "vault_generic_endpoint" "login_mfa" {
  depends_on           = [vault_okta_auth_backend.company]
  path                 = "identity/mfa/method/okta"
  ignore_absent_fields = true

  data_json = <<EOT
{
  "api_token":"${var.OKTA_TOKEN}",
  "base_url":"${var.OKTA_BASE_URL}",
  "org_name":"${var.OKTA_ORG}",
  "username_format":"{{identity.entity.aliases.${vault_okta_auth_backend.company.accessor}.name}}@company.com"
}
EOT
}

@clintmod
Copy link
Author

clintmod commented Aug 2, 2022
edited
Loading

Looks like this was implemented in #1395 and released in 3.8.0

@clintmod clintmod closed this as completed Aug 2, 2022
@soerenschneider
Copy link

@clintmod My understanding of this ticket is to implement support for the (non-enterprise) Login MFA feature that shipped with Vault 1.10.

The PR #1395 you're referring to has been released before you opened this ticket here (20th of April) with version 3.50 and appears to only introduce support for Vault Enterprise MFA.

@clintmod
Copy link
Author

clintmod commented Aug 4, 2022

@soerenschneider you're right my bad reopening

@clintmod clintmod reopened this Aug 4, 2022
@clintmod
Copy link
Author

clintmod commented Aug 4, 2022

There's even a note on this page: https://learn.hashicorp.com/tutorials/vault/active-directory-mfa-login-totp?in=vault/secrets-management#prerequisites

NOTE: The Login MFA integration introduced in version 1.10.0 is a new solution, and should not be confused with the legacy open source MFA or Enterprise Step Up MFA solutions. The solution covered in this tutorial is the preferred way to enable MFA for auth methods in all editions of Vault version 1.10.0 or greater.

@benashz
Copy link
Contributor

benashz commented Aug 4, 2022

Hi, this feature request should be addressed during the Vault 1.12 release time frame. We are targeting the middle of October for the release, so more than likely it will be included in 3.10.0.

@jkisk jkisk mentioned this issue Sep 14, 2022
Closed
@benashz benashz added this to the 3.9.0 milestone Sep 22, 2022
@benashz benashz self-assigned this Sep 24, 2022
@benashz benashz mentioned this issue Sep 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benashz benashz

Labels
auth-login enhancement
Projects
None yet
Milestone
3.9.0
Development

Successfully merging a pull request may close this issue.

Add support for login MFA resources hashicorp/terraform-provider-vault
5 participants
@clintmod @trodemaster @benashz @soerenschneider @heatherezell