Enable MFA support

2026-04-28 23:47:55 +02:00 · 2022-02-15 07:49:12 -05:00
parent c5d6f09320
commit d97423e9f8
4 changed files with 29 additions and 4 deletions
@@ -1,9 +1,12 @@
 {%- set WEBACCESS = salt['pillar.get']('global:url_base', '') -%}
 {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}
 {%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '24h') -%}
+{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', 'Security Onion') -%}

 session:
  lifespan: {{ SESSIONTIMEOUT }}
+  whoami:
+    required_aal: highest_available

 selfservice:
  methods:
@@ -11,10 +14,15 @@ selfservice:
      enabled: true
      config:
        haveibeenpwned_enabled: false
+    totp:
+      enabled: true
+      config:
+        issuer: {{ MFA_ISSUER }}

  flows:
    settings:
      ui_url: https://{{ WEBACCESS }}/?r=/settings
+      required_aal: highest_available

    verification:
      ui_url: https://{{ WEBACCESS }}/
@@ -17,6 +17,9 @@
            "credentials": {
              "password": {
                "identifier": true
+              },
+              "totp": {
+                "account_name": true
              }
            },
            "verification": {