mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-01-08 01:03:13 +01:00
246 lines
11 KiB
YAML
246 lines
11 KiB
YAML
kratos:
|
|
enabled:
|
|
description: You can enable or disable Kratos.
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
|
|
oidc:
|
|
enabled:
|
|
description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
|
|
global: True
|
|
helpLink: oidc.html
|
|
config:
|
|
id:
|
|
description: Customize the OIDC provider name. This name appears on the login page. Required.
|
|
global: True
|
|
forcedType: string
|
|
helpLink: oidc.html
|
|
provider:
|
|
description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft"
|
|
global: True
|
|
forcedType: string
|
|
regex: "auth0|generic|github|google|microsoft"
|
|
regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft"
|
|
helpLink: oidc.html
|
|
client_id:
|
|
description: Specify the client ID, also referenced as the application ID. Required.
|
|
global: True
|
|
forcedType: string
|
|
helpLink: oidc.html
|
|
client_secret:
|
|
description: Specify the client secret. Required.
|
|
global: True
|
|
forcedType: string
|
|
helpLink: oidc.html
|
|
microsoft_tenant:
|
|
description: Specify the Microsoft Active Directory Tenant ID. Required when provider is 'microsoft'.
|
|
global: True
|
|
forcedType: string
|
|
helpLink: oidc.html
|
|
subject_source:
|
|
description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'.
|
|
global: True
|
|
forcedType: string
|
|
regex: me|userinfo
|
|
regexFailureMessage: "Valid values are: me, userinfo"
|
|
helpLink: oidc.html
|
|
auth_url:
|
|
description: Provider's auth URL. Required when provider is 'generic'.
|
|
global: True
|
|
forcedType: string
|
|
helpLink: oidc.html
|
|
issuer_url:
|
|
description: Provider's issuer URL. Required when provider is 'auth0' or 'generic'.
|
|
global: True
|
|
forcedType: string
|
|
helpLink: oidc.html
|
|
mapper_url:
|
|
description: A file path or URL in Jsonnet format, used to map OIDC claims to the Kratos schema. Defaults to an included file that maps the email claim. Note that the contents of the included file can be customized via the "OIDC Claims Mapping" setting.
|
|
advanced: True
|
|
global: True
|
|
forcedType: string
|
|
helpLink: oidc.html
|
|
token_url:
|
|
description: Provider's token URL. Required when provider is 'generic'.
|
|
global: True
|
|
forcedType: string
|
|
helpLink: oidc.html
|
|
scope:
|
|
description: List of scoped data categories to request in the authentication response. Typically 'email' and 'profile' are the minimum required scopes. However, GitHub requires `user:email', instead and Auth0 requires 'profile', 'email', and 'openid'.
|
|
global: True
|
|
forcedType: "[]string"
|
|
helpLink: oidc.html
|
|
requested_claims:
|
|
id_token:
|
|
email:
|
|
essential:
|
|
description: Specifies whether the email claim is necessary. Typically leave this value set to true.
|
|
advanced: True
|
|
global: True
|
|
helpLink: oidc.html
|
|
files:
|
|
oidc__jsonnet:
|
|
title: OIDC Claims Mapping
|
|
description: Customize the OIDC claim mappings to the Kratos schema. The default mappings include the minimum required for login functionality, so this typically does not need to be customized. Visit https://jsonnet.org for more information about this file format.
|
|
advanced: True
|
|
file: True
|
|
global: True
|
|
helpLink: oidc.html
|
|
|
|
config:
|
|
session:
|
|
lifespan:
|
|
description: Defines the length of a login session.
|
|
global: True
|
|
helpLink: kratos.html
|
|
whoami:
|
|
required_aal:
|
|
description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
selfservice:
|
|
methods:
|
|
password:
|
|
enabled:
|
|
description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled.
|
|
global: True
|
|
advanced: True
|
|
helpLink: oidc.html
|
|
config:
|
|
haveibeenpwned_enabled:
|
|
description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
|
|
global: True
|
|
helpLink: kratos.html
|
|
totp:
|
|
enabled:
|
|
description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
|
|
global: True
|
|
helpLink: kratos.html
|
|
config:
|
|
issuer:
|
|
description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
webauthn:
|
|
enabled:
|
|
description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
|
|
global: True
|
|
helpLink: kratos.html
|
|
config:
|
|
passwordless:
|
|
description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in.
|
|
global: True
|
|
helpLink: kratos.html
|
|
rp:
|
|
id:
|
|
description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
origin:
|
|
description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
display_name:
|
|
description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
|
|
flows:
|
|
settings:
|
|
privileged_session_max_age:
|
|
description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
|
|
global: True
|
|
helpLink: kratos.html
|
|
ui_url:
|
|
description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
required_aal:
|
|
description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
verification:
|
|
ui_url:
|
|
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
login:
|
|
ui_url:
|
|
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
error:
|
|
ui_url:
|
|
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
registration:
|
|
ui_url:
|
|
description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
default_browser_return_url:
|
|
description: Security Onion Console landing page URL. Leave as default to ensure proper operation.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
allowed_return_urls:
|
|
description: Internal redirect URL. Leave as default to ensure proper operation.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
log:
|
|
level:
|
|
description: Log level to use for Kratos logs.
|
|
global: True
|
|
helpLink: kratos.html
|
|
format:
|
|
description: Log output format for Kratos logs.
|
|
global: True
|
|
helpLink: kratos.html
|
|
secrets:
|
|
default:
|
|
description: Secret key used for protecting session cookie data. Generated during installation.
|
|
global: True
|
|
sensitive: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
serve:
|
|
public:
|
|
base_url:
|
|
description: User accessible URL for authenticating to Kratos. Leave as default for proper operation.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
admin:
|
|
base_url:
|
|
description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
hashers:
|
|
bcrypt:
|
|
cost:
|
|
description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|
|
courier:
|
|
smtp:
|
|
connection_uri:
|
|
description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation.
|
|
global: True
|
|
advanced: True
|
|
helpLink: kratos.html
|