Ryfujk

Why dativ case for the verb widerspricht?

Why can't we use freedom of speech and expression to incite people to rebel against government in India?

ESPP--any reason not to go all in?

Split a number into equal parts given the number of parts

Does the in-code argument passing conventions used on PDP-11's have a name?

Create chunks from an array

Linear Combination of Atomic Orbitals

Called into a meeting and told we are being made redundant (laid off) and "not to share outside". Can I tell my partner?

Can you run a ground wire from stove directly to ground pole in the ground

“I had a flat in the centre of town, but I didn’t like living there, so …”

What is the meaning of option 'by' in TikZ Intersections

What is "desert glass" and what does it do to the PCs?

Why doesn't "adolescent" take any articles in "listen to adolescent agonising"?

Why is, for a group scheme of finite type, "smooth" (resp. irreducible) equivalent to "geometrically reduced" (resp. geometrically irreducible)?

Professor forcing me to attend a conference

Are Wave equations equivalent to Maxwell equations in free space?

What's the best tool for cutting holes into duct work?

If nine coins are tossed, what is the probability that the number of heads is even?

What is Tony Stark injecting into himself in Iron Man 3?

How to make sure I'm assertive enough in contact with subordinates?

What does "rhumatis" mean?

The (Easy) Road to Code

Genitives like "axeos"

What is the oldest European royal house?

How can a Cognito user initialize TOTP on first login when MFA is required?

0

I am setting up Amazon Cognito for authentication to use a Kibana instance. I only permit administrators to create users, and I permit only the Cognito User Pool identity provider. When creating the user pool, I set Multi-Factor Authentication to "required" and enabled only the "Time-based One-time Password" option. I use an Amazon Cognito domain for the sign-in page.

When I create a Cognito user from the AWS Console, I send the invitation by email. When going to the Kibana URL, the server redirects to the Cognito sign-in page as expected. After login with the temporary password in the email, the user is required to change the password, then attempt login again.

The problem is that MFA is required, but the user has no opportunity to set up a TOTP application. I would have expected TOTP setup to follow the required password change. Instead, Cognito rejects the login for not having MFA enabled:

You must have multi-factor authentication (MFA) set up to sign in. Please set up MFA and try again.

Managing the user in the AWS Console shows an option to enable SMS MFA. But, I'm not using SMS.

The TOTP Software Token MFA documentation states:

When your user chooses TOTP software token MFA, call AssociateSoftwareToken to return a unique generated shared secret key code for the user account. The request for this API method takes an access token or a session string, but not both. As a convenience, you can distribute the secret key as a quick response (QR) code.

But that sounds like I need to make an API call somehow after the user "chooses" TOTP. I'm not writing my own application that could make the API call -- this authentication is only for accessing the Kibana instance provided with Amazon Elasticsearch Service.

How can users initialize TOTP so they can use it to complete login as required?

amazon-web-services authentication

share

asked 1 min ago

AndrewAndrew

766

add a comment | 

0

I am setting up Amazon Cognito for authentication to use a Kibana instance. I only permit administrators to create users, and I permit only the Cognito User Pool identity provider. When creating the user pool, I set Multi-Factor Authentication to "required" and enabled only the "Time-based One-time Password" option. I use an Amazon Cognito domain for the sign-in page.

When I create a Cognito user from the AWS Console, I send the invitation by email. When going to the Kibana URL, the server redirects to the Cognito sign-in page as expected. After login with the temporary password in the email, the user is required to change the password, then attempt login again.

The problem is that MFA is required, but the user has no opportunity to set up a TOTP application. I would have expected TOTP setup to follow the required password change. Instead, Cognito rejects the login for not having MFA enabled:

You must have multi-factor authentication (MFA) set up to sign in. Please set up MFA and try again.

Managing the user in the AWS Console shows an option to enable SMS MFA. But, I'm not using SMS.

The TOTP Software Token MFA documentation states:

When your user chooses TOTP software token MFA, call AssociateSoftwareToken to return a unique generated shared secret key code for the user account. The request for this API method takes an access token or a session string, but not both. As a convenience, you can distribute the secret key as a quick response (QR) code.

But that sounds like I need to make an API call somehow after the user "chooses" TOTP. I'm not writing my own application that could make the API call -- this authentication is only for accessing the Kibana instance provided with Amazon Elasticsearch Service.

How can users initialize TOTP so they can use it to complete login as required?

amazon-web-services authentication

share

asked 1 min ago

AndrewAndrew

766

add a comment | 

I am setting up Amazon Cognito for authentication to use a Kibana instance. I only permit administrators to create users, and I permit only the Cognito User Pool identity provider. When creating the user pool, I set Multi-Factor Authentication to "required" and enabled only the "Time-based One-time Password" option. I use an Amazon Cognito domain for the sign-in page.

When I create a Cognito user from the AWS Console, I send the invitation by email. When going to the Kibana URL, the server redirects to the Cognito sign-in page as expected. After login with the temporary password in the email, the user is required to change the password, then attempt login again.

The problem is that MFA is required, but the user has no opportunity to set up a TOTP application. I would have expected TOTP setup to follow the required password change. Instead, Cognito rejects the login for not having MFA enabled:

You must have multi-factor authentication (MFA) set up to sign in. Please set up MFA and try again.

Managing the user in the AWS Console shows an option to enable SMS MFA. But, I'm not using SMS.

The TOTP Software Token MFA documentation states:

When your user chooses TOTP software token MFA, call AssociateSoftwareToken to return a unique generated shared secret key code for the user account. The request for this API method takes an access token or a session string, but not both. As a convenience, you can distribute the secret key as a quick response (QR) code.

But that sounds like I need to make an API call somehow after the user "chooses" TOTP. I'm not writing my own application that could make the API call -- this authentication is only for accessing the Kibana instance provided with Amazon Elasticsearch Service.

How can users initialize TOTP so they can use it to complete login as required?

amazon-web-services authentication

share

asked 1 min ago

AndrewAndrew

766

share

asked 1 min ago

AndrewAndrew

766

share

asked 1 min ago

AndrewAndrew

766

asked 1 min ago

AndrewAndrew

766

asked 1 min ago

AndrewAndrew

766