CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-09 02:32:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

oidc

Browse Source
This commit is contained in:
Jason Ertel
2023-07-27 08:40:27 -04:00
parent b712d505f2
commit aa36e9a785
3 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/kratos/defaults.yaml
View File

@@ -6,7 +6,7 @@ kratos:
id: SSO
mapper_url: file:///kratos-conf/oidc.jsonnet
subject_source: userinfo
scopes:
scope:
- email
- profile
requested_claims:

8
salt/kratos/soc_kratos.yaml
View File

@@ -6,7 +6,7 @@ kratos:
oidc:
enabled:
description: Set to True to enable OIDC / Single Sign-On (SSO) into SOC. Requires a valid Security Onion license key.
description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
global: True
helpLink: oidc.html
config:
@@ -104,7 +104,7 @@ kratos:
methods:
password:
enabled:
description: Set to True to enable traditional password authentication. Leave as default to ensure proper security protections remain in place.
description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication.
global: True
advanced: True
helpLink: kratos.html
@@ -115,7 +115,7 @@ kratos:
helpLink: kratos.html
totp:
enabled:
description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA). Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
global: True
helpLink: kratos.html
config:
@@ -126,7 +126,7 @@ kratos:
helpLink: kratos.html
webauthn:
enabled:
description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
global: True
helpLink: kratos.html
config:

4
salt/manager/tools/sbin/so-user
View File

@@ -235,8 +235,8 @@ function updatePassword() {
# Update DB with new hash
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
# Deactivate MFA
echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
[[ $? != 0 ]] && fail "Unable to update password"
fi
}