# login-enforcement

### Create a login enforcement <a href="#create-a-login-enforcement" id="create-a-login-enforcement"></a>

This endpoint creates or updates a login enforcement that specifies which MFA methods should be used when logging into Vault. If there are multiple login enforcements, each one needs to be satisfied before a login attempt succeeds.

| Method | Path                                    |
| ------ | --------------------------------------- |
| `POST` | `/identity/mfa/login-enforcement/:name` |

#### Parameters <a href="#parameters" id="parameters"></a>

* `name` `(string: <required>)` - Name for this login enforcement configuration.
* `mfa_method_ids` `([]string: <required>)` - Array of MFA method UUIDs to use. These will be ORed together, meaning if several IDs are specified, any one of them is sufficient to login.
* `auth_method_accessors` `([]string: [])` - Array of auth mount accessor IDs. If present, only auth methods corresponding to the given accessors are checked during login.
* `auth_method_types` `([]string: [])` - Array of auth method types. If present, only auth methods corresponding to the given types are checked during login.
* `identity_group_ids` `([]string: [])` - Array of identity group IDs. If present, only entities belonging to one of the given groups are checked during login. Note that these IDs can be from the current namespace or a child namespace.
* `identity_entity_ids` `([]string: [])` - Array of identity entity IDs. If present, only entities with the given IDs are checked during login. Note that these IDs can be from the current namespace or a child namespace.

Note that while none of `auth_method_accessors`, `auth_method_types`, `identity_group_ids`, or `identity_entity_ids` is individually required, at least one of those four fields must be present to create a login enforcement.

#### Sample payload <a href="#sample-payload" id="sample-payload"></a>

```json
{
  "mfa_method_ids": ["134f7ce9-feae-4c6c-9ed7-ab3e413dbfce"],
  "auth_method_accessors": ["auth_userpass_337fdb6a"]
}
```

#### Sample request <a href="#sample-request" id="sample-request"></a>

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo
```

### Read login enforcement <a href="#read-login-enforcement" id="read-login-enforcement"></a>

This endpoint reads the login enforcement configuration for a given name.

| Method | Path                                    |
| ------ | --------------------------------------- |
| `GET`  | `/identity/mfa/login-enforcement/:name` |

#### Parameters <a href="#parameters-1" id="parameters-1"></a>

* `name` `(string: <required>)` – Name of the login enforcement.

#### Sample request <a href="#sample-request-1" id="sample-request-1"></a>

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request GET \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

```

#### Sample response <a href="#sample-response" id="sample-response"></a>

```json
{
  "data": {
    "auth_method_accessors": [
      "auth_userpass_337fdb6a"
    ],
    "auth_method_types": [],
    "id": "24167a6c-759a-c596-6d48-391c89c4befc",
    "identity_entity_ids": [],
    "identity_group_ids": [],
    "mfa_method_ids": [
      "c1372abf-bf64-1f26-c2a4-cbcfa135b775"
    ],
    "name": "foo",
    "namespace_id": "root"
  }
}
```

### Delete login enforcement <a href="#delete-login-enforcement" id="delete-login-enforcement"></a>

This endpoint deletes a login enforcement configuration by the given name.

| Method   | Path                                    |
| -------- | --------------------------------------- |
| `DELETE` | `/identity/mfa/login-enforcement/:name` |

#### Parameters <a href="#parameters-2" id="parameters-2"></a>

* `name` `(string: <required>)` - Name of the login enforcement.

#### Sample request <a href="#sample-request-2" id="sample-request-2"></a>

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

```

### List login enforcements <a href="#list-login-enforcements" id="list-login-enforcements"></a>

This endpoint lists login enforcements that are visible in the current namespace or in parent namespaces.

| Method | Path                              |
| ------ | --------------------------------- |
| `LIST` | `/identity/mfa/login-enforcement` |

#### Sample request <a href="#sample-request-3" id="sample-request-3"></a>

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement

```

#### Sample response <a href="#sample-response-1" id="sample-response-1"></a>

```json
{
  "data": {
    "keys": [
      "foo"
    ]
  }
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/vault/api/secrets-engines/identity/mfa/login-enforcement.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.