diff --git a/api/mfa/ceremony.go b/api/mfa/ceremony.go index 3b28162e62164..db5c8aa5c34d0 100644 --- a/api/mfa/ceremony.go +++ b/api/mfa/ceremony.go @@ -18,6 +18,7 @@ package mfa import ( "context" + "log/slog" "slices" "github.com/gravitational/trace" @@ -72,12 +73,14 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen if c.SSOMFACeremonyConstructor != nil { ssoMFACeremony, err := c.SSOMFACeremonyConstructor(ctx) if err != nil { - return nil, trace.Wrap(err, "failed to handle SSO MFA ceremony") + // We may fail to start the SSO MFA flow in cases where the Proxy is down or broken. Fall + // back to skipping SSO MFA, especially since SSO MFA may not even be allowed on the server. + slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods.", "error", err) + } else { + defer ssoMFACeremony.Close() + req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL() + promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony)) } - defer ssoMFACeremony.Close() - - req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL() - promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony)) } chal, err := c.CreateAuthenticateChallenge(ctx, req) diff --git a/lib/client/mfa.go b/lib/client/mfa.go index ff261950604a1..67e9b30f6417a 100644 --- a/lib/client/mfa.go +++ b/lib/client/mfa.go @@ -95,7 +95,7 @@ func (tc *TeleportClient) NewSSOMFACeremony(ctx context.Context) (mfa.SSOMFACere rd, err := sso.NewRedirector(rdConfig) if err != nil { - return nil, trace.Wrap(err) + return nil, trace.Wrap(err, "failed to create a redirector for SSO MFA") } return sso.NewCLIMFACeremony(rd), nil