Introduction
Prerequisites (if applicable)
- Okta application
Overview
There are several ways in which Vault does integrate with Okta's Multi-factor authentication and a few ways in which it does not. This article will go over some of the configurations that you can expect to work between these two systems. This article will also go over some of the configurations that will not work as well as potential alternative for working around these gaps.
Okta-type Login MFA
The current best practice for configuring MFA for authentication in Vault is to use the Login MFA feature. This feature support an MFA-type of Okta. With this feature to enforce an MFA requirement using Okta for any Authentication Method (not just the Okta authentication method). For more information on setting this up review the tutorial here.
-
Push-based Okta MFA with Login MFA
- This form of multi-factor authentication supports push-based MFA for all forms of login (via the Vault CLI, API, and UI).
- This form of multi-factor authentication supports push-based MFA for all forms of login (via the Vault CLI, API, and UI).
- TOTP-based Okta MFA with Login MFA
- This form of multi-factor authentication does NOT support TOTP-based MFA. Per the documentation:
If Okta push is configured and enabled on a login path, then the enrolled device of the user will receive a push notification to either approve or deny access to the API." - Potential Alternatives: The Okta auth method provides a method for enforcing TOTP-based MFA however this MFA enforcement can ONLY be applied to the configured Okta auth method on which it is set. Please see the section below on TOTP-based Okta MFA with the Okta Auth method for additional restrictions. Alternatively, the Login MFA feature does support a type of TOTP. However this requires configuring and managing TOTP generation exclusively within Vault (NOT handled by Okta). For more information on this approach see the tutorial here.
- This form of multi-factor authentication does NOT support TOTP-based MFA. Per the documentation:
Okta Auth Method MFA
The Okta authentication method offers a built-in MFA enforcement that can be used exclusively for clients authentication via the authentication method.
- Push-based Okta MFA with the Okta Auth Method
- This form of multi-factor authentication supports push-based MFA for all forms of login (via the Vault CLI, API, and UI).
- This form of multi-factor authentication supports push-based MFA for all forms of login (via the Vault CLI, API, and UI).
- TOTP-based Okta MFA with the Okta Auth Method
- This form of multi-factor authentication IS supported when clients are authenticating either via the API or the CLI.
- This form of multi-factor authentication is NOT supported for clients authenticating via the Vault UI. Clients attempting login this way will be presented with an error. "Authentication failed: 'totp' passcode parameter is required to perform MFA"
- Potential Alternatives: If clients are able to authenticate to Vault via the API or CLI instead of the UI then TOTP based authentication will work.
- This form of multi-factor authentication IS supported when clients are authenticating either via the API or the CLI.