Hi there we are using Vault Opensource and have configured an LDAP auth method to allow us to use our on-premise AD for login and authentication. This means that users will automatically get access to vault and will have LDAP group mappings to apply the correct polices in vault.
We are exploring enabling MFA as an enforcement on the LDAP auth method. If i preconfigure my logged in user with MFA before adding an enforcement then when I apply the enforcement I can successfully login using my LDAPuser/pass and my TOTP. However for a user who has not already set up MFA in vault. If they try to login on an enforced LDAP auth method. They give the username and password for LDAP but are then prompted for a TOTP which they don’t have as its not been setup for them yet.
Is there anyway to have a self service MFA setup flow like other products such as GitLab/auth0 etc where by when the user first logs in to a system with MFA enforced they are prompted to setup the MFA token.
I know we can use the administrative generate method for TOTP to create the TOTP QR code for users but we want users to be able to self serve this and not burden the Devops team with requests to set up TOTP.