kratos: enabled: description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH. advanced: True helpLink: kratos.html oidc: enabled: description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key. global: True helpLink: oidc.html config: id: description: Customize the OIDC provider name. This name appears on the login page. Required. It is strongly recommended to leave this to the default value, unless you are aware of the other configuration pieces that will be affected by changing it. global: True forcedType: string helpLink: oidc.html provider: description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft" global: True forcedType: string regex: "auth0|generic|github|google|microsoft" regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft" helpLink: oidc.html client_id: description: Specify the client ID, also referenced as the application ID. Required. global: True forcedType: string helpLink: oidc.html client_secret: description: Specify the client secret. Required. global: True forcedType: string helpLink: oidc.html microsoft_tenant: description: Specify the Microsoft Active Directory Tenant ID. Required when provider is 'microsoft'. global: True forcedType: string helpLink: oidc.html subject_source: description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'. global: True forcedType: string regex: me|userinfo regexFailureMessage: "Valid values are: me, userinfo" helpLink: oidc.html auth_url: description: Provider's auth URL. Required when provider is 'generic'. global: True forcedType: string helpLink: oidc.html issuer_url: description: Provider's issuer URL. Required when provider is 'auth0' or 'generic'. global: True forcedType: string helpLink: oidc.html mapper_url: description: A file path or URL in Jsonnet format, used to map OIDC claims to the Kratos schema. Defaults to an included file that maps the email claim. Note that the contents of the included file can be customized via the "OIDC Claims Mapping" setting. advanced: True global: True forcedType: string helpLink: oidc.html token_url: description: Provider's token URL. Required when provider is 'generic'. global: True forcedType: string helpLink: oidc.html scope: description: List of scoped data categories to request in the authentication response. Typically 'email' and 'profile' are the minimum required scopes. However, GitHub requires `user:email', instead and Auth0 requires 'profile', 'email', and 'openid'. global: True forcedType: "[]string" helpLink: oidc.html pkce: description: Set to 'force' if the OIDC provider does not support auto-detection of PKCE, but does support PKCE. Set to `never` to disable PKCE. The default setting automatically attempts to detect if PKCE is supported. The provider's `well-known/openid-configuration` JSON response must contain the `S256` algorithm within the `code_challenge_methods_supported` list in order for the auto-detection to correctly detect PKCE is supported. global: True forcedType: string helpLink: oidc.html requested_claims: id_token: email: essential: description: Specifies whether the email claim is necessary. Typically leave this value set to true. advanced: True global: True helpLink: oidc.html files: oidc__jsonnet: title: OIDC Claims Mapping description: Customize the OIDC claim mappings to the Kratos schema. The default mappings include the minimum required for login functionality, so this typically does not need to be customized. Visit https://jsonnet.org for more information about this file format. advanced: True file: True global: True helpLink: oidc.html config: session: lifespan: description: Defines the length of a login session. global: True helpLink: kratos.html whoami: required_aal: description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place. global: True advanced: True helpLink: kratos.html selfservice: methods: password: enabled: description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled. global: True advanced: True helpLink: oidc.html config: haveibeenpwned_enabled: description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled. global: True helpLink: kratos.html totp: enabled: description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in. global: True helpLink: kratos.html config: issuer: description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address. global: True helpLink: kratos.html webauthn: enabled: description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in. global: True helpLink: kratos.html config: passwordless: description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in. global: True helpLink: kratos.html rp: id: description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly. global: True advanced: True helpLink: kratos.html origin: description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly. global: True advanced: True helpLink: kratos.html display_name: description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations. global: True advanced: True helpLink: kratos.html flows: settings: privileged_session_max_age: description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change. global: True helpLink: kratos.html ui_url: description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html required_aal: description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place. global: True advanced: True helpLink: kratos.html verification: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html login: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html error: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html registration: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html default_browser_return_url: description: Security Onion Console landing page URL. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html allowed_return_urls: description: Internal redirect URL. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html log: level: description: Log level to use for Kratos logs. global: True helpLink: kratos.html format: description: Log output format for Kratos logs. global: True helpLink: kratos.html secrets: default: description: Secret key used for protecting session cookie data. Generated during installation. global: True sensitive: True advanced: True helpLink: kratos.html serve: public: base_url: description: User accessible URL for authenticating to Kratos. Leave as default for proper operation. global: True advanced: True helpLink: kratos.html admin: base_url: description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation. global: True advanced: True helpLink: kratos.html hashers: bcrypt: cost: description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting. global: True advanced: True helpLink: kratos.html courier: smtp: connection_uri: description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation. global: True advanced: True helpLink: kratos.html