Hello!
I have configure auth/okta for integrating vault login with Okta, bypass MFA is disabled in Vault side , but I’ve noticed it’s allowing the users to login only by user and password without asking the user to enter MFA code
Is there a way to do so?
Cheers!
Abeer
Sorry if this is too obvious, but is your okta configured to require MFA? In okta by default individual users can enable/disable MFA, but there’s also a way in the okta admin interface to require it, and it seems like that’s what you want.
Now, vault also has its own way of doing MFA, and it may be that you can enable that in addition to the okta auth method to force people to do MFA even if your okta config doesn’t require it, but I haven’t tried this. This is configured separately from the auth method, and you have a number of MFA methods available including okta.
Hello @pita , yes MFA is required in my Okta . I will try to configure Okta MFA on Vault
Thank you for your answer!
Well, in my setup MFA is required in Okta and I use the “Okta Verify” push method, and when I log into Vault using vault login -method=okta I immediately receive the request for verification on my phone. I didn’t have to enable Vault’s MFA mechanism for that, but I have used the later to add MFA to LDAP logins.
@pita Have you integrated okta with vault by enabling auth/okta or via OIDC?
auth/okta
(Hmph. “post must be at least 20 character”)
@pita thank you so much
I manage to resolve this by configuring okta as OIDC and adding sign on policy on okta application to ask the user for MFA on each login.