kratos:
  config:
    session:
      lifespan: 
        description: Defines the length of a login session.
        global: True
        helpLink: kratos.html
      whoami:
        required_aal: 
          description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place.
          global: True
          advanced: True
          helpLink: kratos.html
    selfservice:
      methods:
        password:
          enabled: 
            description: Set to True to enable traditional password authentication. Leave as default to ensure proper security protections remain in place.
            global: True
            advanced: True
            helpLink: kratos.html
          config:
            haveibeenpwned_enabled:
              description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
              global: True
              helpLink: kratos.html
        totp:
          enabled: 
            description: Set to True to enable Time-based One-Time Password (TOTP) MFA authentication. Leave as default to ensure proper security protections remain in place.
            global: True
            advanced: True
            helpLink: kratos.html
          config:
            issuer: 
              description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address.
              global: True
              advanced: True
              helpLink: kratos.html
      flows:
        settings:
          privileged_session_max_age:
            description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
            global: True
            helpLink: kratos.html
          ui_url: 
            description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
            global: True
            advanced: True
            helpLink: kratos.html
          required_aal:
            description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place.
            global: True
            advanced: True
            helpLink: kratos.html
        verification:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
            helpLink: kratos.html
        login:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
            helpLink: kratos.html
        error:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
            helpLink: kratos.html
        registration:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
            helpLink: kratos.html
      default_browser_return_url:
        description: Security Onion Console landing page URL. Leave as default to ensure proper operation.
        global: True
        advanced: True
        helpLink: kratos.html
      allowed_return_urls:
        description: Internal redirect URL. Leave as default to ensure proper operation.
        global: True
        advanced: True
        helpLink: kratos.html
    log:
      level: 
        description: Log level to use for Kratos logs.
        global: True
        helpLink: kratos.html
      format: 
        description: Log output format for Kratos logs.
        global: True
        helpLink: kratos.html
    secrets:
      default: 
        description: Secret key used for protecting session cookie data. Generated during installation.
        global: True
        sensitive: True
        advanced: True
        helpLink: kratos.html
    serve:
      public:
        base_url: 
          description: User accessible URL for authenticating to Kratos. Leave as default for proper operation.
          global: True
          advanced: True
          helpLink: kratos.html
      admin:
        base_url: 
          description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation.
          global: True
          advanced: True
          helpLink: kratos.html
    hashers:
      bcrypt:
        cost: 
          description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting.
          global: True
          advanced: True
          helpLink: kratos.html
    courier:
      smtp:
        connection_uri: 
          description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation.
          global: True
          advanced: True
          helpLink: kratos.html