Skip to main content

login-enforcement

Create a login enforcement

This endpoint creates or updates a login enforcement that specifies which MFA methods should be used when logging into OpenBao. If there are multiple login enforcements, each one needs to be satisfied before a login attempt succeeds.

MethodPath
POST/identity/mfa/login-enforcement/:name

Parameters

  • name (string: <required>) - Name for this login enforcement configuration.

  • mfa_method_ids ([]string: <required>) - Array of MFA method UUIDs to use. These will be ORed together, meaning if several IDs are specified, any one of them is sufficient to login.

  • auth_method_accessors ([]string: []) - Array of auth mount accessor IDs. If present, only auth methods corresponding to the given accessors are checked during login.

  • auth_method_types ([]string: []) - Array of auth method types. If present, only auth methods corresponding to the given types are checked during login.

  • identity_group_ids ([]string: []) - Array of identity group IDs. If present, only entities belonging to one of the given groups are checked during login.

  • identity_entity_ids ([]string: []) - Array of identity entity IDs. If present, only entities with the given IDs are checked during login.

Note that while none of auth_method_accessors, auth_method_types, identity_group_ids, or identity_entity_ids is individually required, at least one of those four fields must be present to create a login enforcement.

Sample payload

{
"mfa_method_ids": ["134f7ce9-feae-4c6c-9ed7-ab3e413dbfce"],
"auth_method_accessors": ["auth_userpass_337fdb6a"]
}

Sample request

$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

Read login enforcement

This endpoint reads the login enforcement configuration for a given name.

MethodPath
GET/identity/mfa/login-enforcement/:name

Parameters

  • name (string: <required>) – Name of the login enforcement.

Sample request

$ curl \
--header "X-Vault-Token: ..." \
--request GET \
http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

Sample response

{
"data": {
"auth_method_accessors": [
"auth_userpass_337fdb6a"
],
"auth_method_types": [],
"id": "24167a6c-759a-c596-6d48-391c89c4befc",
"identity_entity_ids": [],
"identity_group_ids": [],
"mfa_method_ids": [
"c1372abf-bf64-1f26-c2a4-cbcfa135b775"
],
"name": "foo",
"namespace_id": "root"
}
}

Delete login enforcement

This endpoint deletes a login enforcement configuration by the given name.

MethodPath
DELETE/identity/mfa/login-enforcement/:name

Parameters

  • name (string: <required>) - Name of the login enforcement.

Sample request

$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

List login enforcements

This endpoint lists login enforcements that are visible.

MethodPath
LIST/identity/mfa/login-enforcement

Sample request

$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/mfa/login-enforcement

Sample response

{
"data": {
"keys": [
"foo"
]
}
}