Multi-Factor Authentication
You can configure multi-factor authentication (MFA) for additional security of user accounts. In Veeam Service Provider Console, this authentication method is based on the TOTP algorithm and requires a user to install an authenticator application on the trusted device. Veeam Service Provider Console supports all applications that use TOTP mechanism, however we recommend Google Authenticator.
You can enable and disable MFA for a user account using REST API.
|
After you enable MFA for a user, that user can no longer authenticate with user name and password to the Veeam Service Provider Console REST API. Before you assign a second authentication factor to the account that requires access to REST API, configure one of the authorization methods described in sections API Key-Based Authentication and Asymmetric Authentication. |
Configuring MFA for Own Account
To enable MFA for your user account:
- Send the HTTP GET request to the /authentication/keys/totp-secret path. The server will return the following data in the response body:
- secret — MFA secret.
- secretUrl — URL that contains MFA secret and user account data.
Request: POST https://<hostname>:1280/api/v3/authentication/keys/totp-secret
Request Headers: Content-type: application/json Authorization: Bearer <API-Key>
Response Code: 200 OK
Response Body: { "data": { "secret": "3QEYAIQAKPC2A4ENSZEXHL4OQLWJ4XNC", "secretUrl": "otpauth://totp/vspc%5cAdministrator?secret=3QEYAIQAKPC2A4ENSZEXHL4OQLWJ4XNC&issuer=My%20Company%20Portal" } } |
- Install an authenticator application on the trusted device and enter the secret key to create an account.
The application will generate a verification code.
|
You can use a QR code to create an account in the authenticator application:
The application will automatically create an account and generate a six-digit verification code. |
- Send the HTTP POST request to the /users/{userUid}/logins/totp path, where userUid is UID of your user. Additionally you must provide the following query string parameters:
- secretUrl — URL-encoded secret that you received at step 1.
- code — active security code.
- description — description for a new user identity.
- scope — services that are available to a new user identity. In this operation, only the ui value is available.
The server will return a response containing a resource representation of a new user identity associated with MFA.
Request: POST https://<hostname>:1280/api/v3/users/955b0b80-03b2-49fd-bf38-14785ecff0a8/logins/totp?secretUrl=otpauth://totp/vspc%5cAdministrator?secret=3QEYAIQAKPC2A4ENSZEXHL4OQLWJ4XNC&issuer=My%20Company%20Portal&code=324568&description=MFA for Alpha Administrator&scope=ui
Request Headers: Content-type: application/json Authorization: Bearer <API-Key>
Response Code: 200 OK
Response Body: { "data": { "id": 12, "userUid": "955b0b80-03b2-49fd-bf38-14785ecff0a8", "userName": "alpha_admin", "companyId": "3b139961-6b11-4fd8-9e87-c2be1b0e9ca8", "companyName": "Alpha", "identityProviderName": "TOTP", "description": "MFA for Alpha Administrator", "identifierInProvider": "11217524525076510964", "scopes": [], "status": "enabled", "parameters": "", "creationDate": "2020-08-18T16:02:26.0136931+00:00" } } |
Enabling MFA for Other Users
To enable MFA for other users, send the HTTP PATCH the following request to the /users/{userUid} path, where {userUid} is UID of a user:
[ { "op": "replace", "path": "mfaPolicyStatus", "value": "enabled", } ] |
Enabled MFA only affects users that access Veeam Service Provider Console Portal. On the next authorization, these users will be prompted to configure MFA. Authentication to Veeam Service Provider Console REST API remains intact.
Disabling MFA
To disable MFA for other users, send the HTTP PATCH the following request to the /users/{userUid} path, where {userUid} is UID of a user:
[ { "op": "replace", "path": "mfaPolicyStatus", "value": "disabled", } ] |
If you want to permanently disable MFA for a specific user, you can delete the associated user identity resource. For details, see Delete User Identity.