Introduction
Vault can be setup to require a Duo push confirmation on mobile before login. Below example uses Okta auth method.
Expected Outcome
A user needs to successfully validate a Duo MFA push request before authenticating with Okta.
Prerequisites
- Vault Enterprise
- Okta account
- Duo account
Settings Okta
Settings Duo
- Save Client ID, Client secret, API hostname
_hostname
Settings Duo
- generate token
Procedure
1. enable Okta in a namespace and configure it:
$ vault namespace create ns1
$ vault auth enable -namespace=ns1 okta
$vault write -namespace=ns1 auth/okta/config \
base_url="okta.com" \
organization="$NAME_ORG" \
token="$OKTA_TOKEN"
2. define a MFA method of type Duo that points to the mount_accessor of okta auth method enabled in the namespace:
vault auth list -namespace=ns1 -format=json | jq -r '.["okta/"].accessor' > accessor.txt
vault write sys/mfa/method/duo/my_duo \
mount_accessor=$(cat accessor.txt) \
integration_key=$INTEGRATION_KEY \
secret_key=$SECRET_KEY \
api_hostname=$API_HOSTNAME
3. The following Sentinel policy enforce MFA when logging into Vault with Okta:
import "mfa"
import "strings"
# Require Duo MFA validation to login via LDAP
duo_valid = rule {
mfa.methods.my_duo.valid
}
main = rule when strings.has_prefix(request.path, "auth/okta/login/") {
duo_valid
}
vault write -namespace=ns1 sys/policies/egp/my_duo \
policy="${POLICY}" \
paths="auth/okta/login/*" \
enforcement_level="hard-mandatory"
Test to login:
vault login -namespace=ns1 -method=okta username=sandynelax
The user should be prompted by Duo push for confirmation to allow to login.