mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-11 19:52:51 +01:00
oidc
This commit is contained in:
Jason Ertel
@@ -6,7 +6,7 @@ kratos:
|
|||||||
id: SSO
|
id: SSO
|
||||||
mapper_url: file:///kratos-conf/oidc.jsonnet
|
mapper_url: file:///kratos-conf/oidc.jsonnet
|
||||||
subject_source: userinfo
|
subject_source: userinfo
|
||||||
scopes:
|
scope:
|
||||||
- email
|
- email
|
||||||
- profile
|
- profile
|
||||||
requested_claims:
|
requested_claims:
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ kratos:
|
|||||||
|
|
||||||
oidc:
|
oidc:
|
||||||
enabled:
|
enabled:
|
||||||
description: Set to True to enable OIDC / Single Sign-On (SSO) into SOC. Requires a valid Security Onion license key.
|
description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
|
||||||
global: True
|
global: True
|
||||||
helpLink: oidc.html
|
helpLink: oidc.html
|
||||||
config:
|
config:
|
||||||
@@ -104,7 +104,7 @@ kratos:
|
|||||||
methods:
|
methods:
|
||||||
password:
|
password:
|
||||||
enabled:
|
enabled:
|
||||||
description: Set to True to enable traditional password authentication. Leave as default to ensure proper security protections remain in place.
|
description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication.
|
||||||
global: True
|
global: True
|
||||||
advanced: True
|
advanced: True
|
||||||
helpLink: kratos.html
|
helpLink: kratos.html
|
||||||
@@ -115,7 +115,7 @@ kratos:
|
|||||||
helpLink: kratos.html
|
helpLink: kratos.html
|
||||||
totp:
|
totp:
|
||||||
enabled:
|
enabled:
|
||||||
description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA). Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
|
description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
|
||||||
global: True
|
global: True
|
||||||
helpLink: kratos.html
|
helpLink: kratos.html
|
||||||
config:
|
config:
|
||||||
@@ -126,7 +126,7 @@ kratos:
|
|||||||
helpLink: kratos.html
|
helpLink: kratos.html
|
||||||
webauthn:
|
webauthn:
|
||||||
enabled:
|
enabled:
|
||||||
description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
|
description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
|
||||||
global: True
|
global: True
|
||||||
helpLink: kratos.html
|
helpLink: kratos.html
|
||||||
config:
|
config:
|
||||||
|
|||||||
@@ -235,8 +235,8 @@ function updatePassword() {
|
|||||||
# Update DB with new hash
|
# Update DB with new hash
|
||||||
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
|
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
|
||||||
# Deactivate MFA
|
# Deactivate MFA
|
||||||
echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
|
echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
|
||||||
echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
|
echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
|
||||||
[[ $? != 0 ]] && fail "Unable to update password"
|
[[ $? != 0 ]] && fail "Unable to update password"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user