login-enforcement
Create a login enforcement
This endpoint creates or updates a login enforcement that specifies which MFA methods should be used when logging into OpenBao. If there are multiple login enforcements, each one needs to be satisfied before a login attempt succeeds.
| Method | Path |
|---|---|
POST | /identity/mfa/login-enforcement/:name |
Parameters
-
name(string: <required>)- Name for this login enforcement configuration. -
mfa_method_ids([]string: <required>)- Array of MFA method UUIDs to use. These will be ORed together, meaning if several IDs are specified, any one of them is sufficient to login. -
auth_method_accessors([]string: [])- Array of auth mount accessor IDs. If present, only auth methods corresponding to the given accessors are checked during login. -
auth_method_types([]string: [])- Array of auth method types. If present, only auth methods corresponding to the given types are checked during login. -
identity_group_ids([]string: [])- Array of identity group IDs. If present, only entities belonging to one of the given groups are checked during login. -
identity_entity_ids([]string: [])- Array of identity entity IDs. If present, only entities with the given IDs are checked during login.
Note that while none of auth_method_accessors, auth_method_types, identity_group_ids, or identity_entity_ids is
individually required, at least one of those four fields must be present to create a login enforcement.
Sample payload
{
"mfa_method_ids": ["134f7ce9-feae-4c6c-9ed7-ab3e413dbfce"],
"auth_method_accessors": ["auth_userpass_337fdb6a"]
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo
Read login enforcement
This endpoint reads the login enforcement configuration for a given name.
| Method | Path |
|---|---|
GET | /identity/mfa/login-enforcement/:name |
Parameters
name(string: <required>)– Name of the login enforcement.
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo
Sample response
{
"data": {
"auth_method_accessors": [
"auth_userpass_337fdb6a"
],
"auth_method_types": [],
"id": "24167a6c-759a-c596-6d48-391c89c4befc",
"identity_entity_ids": [],
"identity_group_ids": [],
"mfa_method_ids": [
"c1372abf-bf64-1f26-c2a4-cbcfa135b775"
],
"name": "foo",
"namespace_id": "root"
}
}
Delete login enforcement
This endpoint deletes a login enforcement configuration by the given name.
| Method | Path |
|---|---|
DELETE | /identity/mfa/login-enforcement/:name |
Parameters
name(string: <required>)- Name of the login enforcement.
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo
List login enforcements
This endpoint lists login enforcements that are visible.
| Method | Path |
|---|---|
LIST | /identity/mfa/login-enforcement |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/mfa/login-enforcement
Sample response
{
"data": {
"keys": [
"foo"
]
}
}