Hello, is there way to set up mfa for ror plugin?
If yes can someone help me with this?
We don’t offer a MFA feature out of the box (we totally could, via TOTP).
But there are the hooks in the Kibana plugin to do some extra validation passage before you get to actually accept the login attempt.
@Dzuming can escort you through the docs, with some suggestion 
@miroslavkardos @sscarduzio
in our docs, we have an example with 2FA provided by DUO. Take a look:
Yes that is using delegated authentication via a SAML identity provider that supports MFA like DUO. Totally viable, the easiest way out.
Another way is to write custom middleware for ROR Kibana.
Another way is to write/provision a reverse proxy that implements MFA and use it as proxyAuth.
Still would be cool to implement this as part of ROR, using speakeasy and qrcode libraries for express js. We could leverage the metadata rule in ROR ES to associate a QR code (as string) to each user.
- name: ADMIN_WITH_TOTP
auth_key: admin:password
kibana:
access: admin
metadata:
totp_string: "...."
And kibana would check for user input TOTP.
2 Likes
it is only available via ROR Enterprise?
DUO integration leverages the SAML connector, which Enterprise only. Custom middleware is also an advanced feature from Enterprise. IIRC proxy auth is free (right @Dzuming)?
yes, exactly. It’s a free feature.
OK, thanks guys for answers.