feat: Add custom MFA authentication flow with configurable enforcement

- Add authentication-flow.tf with complete MFA auth flow: - Identification -> Password -> MFA validation -> Session stages - Brute-force reputation policy binding - Evaluates policies on plan for user context - Add configuration variables: - enable_mfa_flow: Toggle custom MFA flow (default: false) - mfa_enforcement: skip/configure/deny (default: configure) - Fix existing issues: - rbac-groups.tf: parent -> parents (list) - source-google.tf: Use variables instead of deprecated sops - Google source now conditional (created only if credentials provided) - Update README: - Document MFA enforcement levels - Add authentication-flow.tf to file structure - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup Security: Custom flow includes brute-force protection policy bound at flow level, not just stage level.
2026-02-10 06:44:58 +00:00 · 2026-02-09 16:03:32 +00:00
parent d55a52a8d5
commit 5d2535067e
8 changed files with 171 additions and 11 deletions
--- a/security-policies.tf
+++ b/security-policies.tf
@@ -99,7 +99,7 @@ resource "authentik_stage_authenticator_validate" "mfa_validation" {
  # - skip: Don't require MFA if not configured
  # - deny: Block login if MFA not configured (after enabling, users need MFA)
  # - configure: Force users to set up MFA if not configured
-  not_configured_action = "configure"
+  not_configured_action = var.mfa_enforcement
  
  # Supported authenticator types
  device_classes = [