I have LDAP with TOTP set up as described here: Active Directory Auth Method with TOTP Login MFA | Vault | HashiCorp Developer
including the MFA enforcement, with certain groups added to the LDAP auth method.
Whenever a new user signs up for vault, they will be prompted to input their MFA code, which they of course don’t have as of yet. It seems another user is required to generate the TOTP secret for them, via their entity_id and the /admin-generate endpoint.
As the MFA requirement is enforced, the user is never logged in and doesn’t receive a token until they complete the MFA login, so they can’t generate the secret themselves, and I can’t preemptively generate the users QR codes, as I don’t know their entity_ids before they first log in.
Is there a way to allow the user to generate their QR code during initial signin?