Introduction
This guide will document the basic steps for configuring the OIDC authentication method to work with Login MFA.
The third party services used are Auth0 (for OIDC auth) and PingID (for MFA).
Expected Outcome
A user authenticating into Vault using the OIDC auth method will be required to complete an MFA step prior to retrieving a token.
Prerequisites (if applicable)
- An Auth0 developer account
- A PingOne for Enterprise account
- A mobile phone with the PingID app installed
- A running Vault server
Procedure
Auth0
- Follow the steps 1-10 in Get Auth0 credentials of this tutorial to complete the following steps.
- Retrieve domain name, client_id and client_secret.
- Provide Auth0 with the Allowed Callback URL values referencing your Vault instance. Similar to:
http://<YOUR_HOSTNAME>:8250/oidc/callback
http://<YOUR_HOSTNAME>:8200/ui/vault/auth/oidc/oidc/callback
- Create a user associated with the Auth0 application.
PingID
- Sign into the admin portal. Go to 'Users'. Create a user with an email address that matches the user created in Auth0.(alice@example.com in this guide).
- Go to Setup > PingID > Client Integration and download the file from the "Integrate with PingFederate" section. The file will be called "pingid.properties".
-
Base64 encode the file and save the base64 encoded value for later use.
openssl base64 -A -in pingid.properties
- Sign in as the new user, click the username in the top right. Devices > Add Device.
- Use the QR code to connect from the PingID app on your mobile device.
Vault
- Enable the OIDC auth method.
vault auth enable oidc
- Create a policy for the users.
vault policy write auth0-readers - <<EOF
path "kv/*" {
capabilities = ["list", "read"]
}
EOF - Create an OIDC role. Important note, make sure the user_claim and oidc_scopes fields are both set to "email". This ensures the Auth0 users can match their email address to the entity alias we will create in Vault.
vault write auth/oidc/role/auth0-reader \
bound_audiences="<AUTH0_CLIENT_ID>" \
allowed_redirect_uris="http://<YOUR_HOSTNAME>:8250/oidc/callback" \
allowed_redirect_uris="http://<YOUR_HOSTNAME>:8200/ui/vault/auth/oidc/oidc/callback" \
user_claim="email" \
oidc_scopes="email" \
policies="auth0-readers" -
Create the config for the OIDC method.
vault write auth/oidc/config \
oidc_discovery_url="https://<AUTH0_DOMAIN>/" \
oidc_client_id="<AUTH0_CLIENT_ID>" \
oidc_client_secret="<AUTH0_CLIENT_SECRET>" \
default_role="auth0-reader" -
Create an entity for the user.
vault write identity/entity name="alice" -
Create an entity alias. Canonical_id is the ID of the just-created entity, mount_accessor for OIDC can be found by running "vault auth list".
vault write identity/entity-alias \
name="alice@example.com" \
canonical_id="<ENTITY_ID>" \
mount_accessor="<OIDC_MOUNT_ACCESSOR>" - Verify that OIDC login works without MFA enabled. Important note: If logging in via the CLI, you may need to adjust the optional parameters to non-default values. Review this doc for details.
vault login -method=oidc
- Enable PingID MFA. You will need the base64 encoded pingid.properties file from step 3 of the PingID section.
vault write identity/mfa/method/pingid settings_file_base64=<B64_ENCODED_PINGID_PROPERTIES> -
Enable PingID MFA enforcement. The method ID for this command will be returned in the previous step.
vault write identity/mfa/login-enforcement/learn \
mfa_method_ids="<METHOD_ID>" \
auth_method_accessors="<OIDC_MOUNT_ACCESSOR>" - Login again, check your phone for an MFA notification in your PingID mobile application.
Please visit the authorization URL manually. Waiting for OIDC authentication to complete...
Asking Vault to perform MFA validation with upstream service. You should receive a push notification in your authenticator app shortly