hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.34k stars 4.23k forks source link

Support YUBICO provider with token:hardware factor for Okta backend #22961

Open ctkysj opened 1 year ago

ctkysj commented 1 year ago

Is your feature request related to a problem? Please describe. Currently, Vault's OKTA backend only supports 3 combinations of provider and factors. GOOGLE/totp, OKTA/totp, and OKTA/push. Our infosec group has started transitioning to use hardware token's for MFA and plans to eventually deprecate support usage of phone based MFA. Once totp/push support has been phased out, we will no longer have a way login to vault using the okta backend.

Describe the solution you'd like Support the YUBICO provider with the token:hardware factor for the Okta backend.

Describe alternatives you've considered As Okta is our sso platform of choice, we aren't able to use any other backends for vault authentication.

Explain any additional use-cases If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.

Additional context We are looking for similar changes done to address this issue https://github.com/hashicorp/vault/issues/14535 to support the GOOGLE provider.

  1. Is this a feature the Vault team is willing to add?
  2. Are contributions accepted?
trodemaster commented 1 year ago

We use OKTA auth with LoginMFA handling the second step that triggers the MFA push to the OKTA app. Wtih LoginMFA being the newer way to configure MFA having this capability added to it would be ideal.

kda-jt commented 1 year ago

Hi! I second this request. My org is moving to Yubikeys and this is a big blocker for us. Vault & Okta are at the heart of everything we do, so we'd love to give our security a boost with hardware 2FA. Thanks!

kda-jt commented 11 months ago

Hey maintainers 👋🏼 Would you have any news about this? Thanks

cognifloyd commented 11 months ago

Currently, Vault's OKTA backend only supports 3 combinations of provider and factors. GOOGLE/totp, OKTA/totp, and OKTA/push.

This is not completely accurate. The Okta auth backend only supports TOTP if you use the CLI to login; The UI does not support TOTP for the okta auth method.

cognifloyd commented 11 months ago

Wtih LoginMFA being the newer way to configure MFA having this capability added to it would be ideal.

I've added support for Login MFA to use Okta TOTP auth (using token:hardware or any other token:* factor type) in #24563.

I added it to Okta Login MFA instead of the Okta auth backend because the UI flow already works for Login MFA, making the required changes much smaller.