I’m wrestling with Okta’s auth and MFA, trying to get Okta Verify push to work on Vault 1.20.4, on the open source edition. I’ve seen conflicting information that the Okta MFA is only available in enterprise, but I can install it through the web UI.
Configuring okta auth as per Okta - Auth Methods | Vault | HashiCorp Developer worked fine. I can log in with no issue.
When trying to enable MFA for okta is where I run into problems, namely the following error message:
Error: failed to satisfy enforcement okta-mandatory-sso. error: 2 errors occurred: * no value could be found for one of the template directives * login MFA validation failed for methodID: [$oktamfamethodid]
Okta MFA config is as follows:
"data": {
"base_url": "okta.com",
"id": "$oktamfamethodid",
"mount_accessor": "",
"name": "",
"namespace_id": "root",
"namespace_path": "",
"org_name": "oktaorgname",
"type": "okta",
"username_format": "{{alias.name}}"
},
Some things to note:
mount_accessorkeeps getting set blank, I’m using the accessor for /auth/oktaapi_tokenkeeps getting set to blank for some reasonorg_nameis the subdomain of our okta tenant (ie we log in through oktaorgname.okta.com)username_formatI’m unsure about this. I checked the /identity/alias/id/$aliasid and the name field is exactly what we would use to log into okta with
Thanks ahead of time