diff --git a/builtin/credential/okta/backend.go b/builtin/credential/okta/backend.go index 951d19097316..4f9e5afd10ee 100644 --- a/builtin/credential/okta/backend.go +++ b/builtin/credential/okta/backend.go @@ -4,6 +4,7 @@ import ( "fmt" "github.com/chrismalek/oktasdk-go/okta" + "github.com/hashicorp/vault/helper/mfa" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" ) @@ -22,6 +23,8 @@ func Backend() *backend { Help: backendHelp, PathsSpecial: &logical.Paths{ + Root: mfa.MFARootPaths(), + Unauthenticated: []string{ "login/*", }, @@ -33,8 +36,9 @@ func Backend() *backend { pathGroups(&b), pathUsersList(&b), pathGroupsList(&b), - pathLogin(&b), - }), + }, + mfa.MFAPaths(b.Backend, pathLogin(&b))..., + ), AuthRenew: b.pathLoginRenew, BackendType: logical.TypeCredential, diff --git a/website/source/docs/auth/mfa.html.md b/website/source/docs/auth/mfa.html.md index 46617e1c565d..4e61f9130643 100644 --- a/website/source/docs/auth/mfa.html.md +++ b/website/source/docs/auth/mfa.html.md @@ -12,7 +12,7 @@ Several authentication backends support multi-factor authentication (MFA). Once a backend, users are required to provide additional verification, like a one-time passcode, before being authenticated. -Currently, the "ldap", "radius" and "userpass" backends support MFA. +Currently, the "ldap", "okta", "radius", and "userpass" backends support MFA. ## Authentication