MFA Provider Configuration
Each provider supporting MFA does have some kind of configuration for the MFA providers. As there are multiple MFA providers the configuration sadly isn't that simple and needs to have the following format:
provider: <provider name>
attributes:
<mapping of attributes>This provider needs a configuration to function correctly:
mfa:
duo:
# Get your ikey / skey / host from https://duo.com/docs/duoweb#first-steps
ikey: "<IKEY>"
skey: "<SKEY>"
host: "<API HOST>"
user_agent: "nginx-sso"The corresponding expected MFA configuration is as following:
provider: duoThis provider supports several different TOTP configurations while the default configuration is held compatible to what Google Authenticator is using. You can configure all parameters documented below though in most cases you won't need to touch any parameter other than secret. The secret must be base32 encoded while the trailing equal signs may be stripped.
Here is an example of the URI to provide in a QRCode:
provider: totp
attributes:
secret: MZXW6YTBOIFA # required
period: 30 # optional, defaults to 30 (Google Authenticator)
skew: 1 # optional, defaults to 1 (Google Authenticator)
digits: 8 # optional, defaults to 6 (Google Authenticator)
algorithm: sha1 # optional (sha1, sha256, sha512), defaults to sha1 (Google Authenticator)otpauth://totp/Example:myusername?secret=MZXW6YTBOIFA (Docs)
This provider needs a configuration to function correctly:
mfa:
yubikey:
# Get your client / secret from https://upgrade.yubico.com/getapikey/
client_id: "12345"
secret_key: "foobar"The corresponding expected MFA configuration is as following:
provider: yubikey
attributes:
device: ccccccfcvuul