Add SSO MFA docs #50533

Joerger · 2024-12-21T02:02:54Z

Add documentation for the new SSO MFA feature. See the RFD for more details.

github-actions · 2024-12-21T02:13:07Z

🤖 Vercel preview here: https://docs-mzyc3e21c-goteleport.vercel.app/docs

docs/pages/admin-guides/access-controls/sso/sso.mdx

examples/resources/oidc-connector-mfa.yaml

github-actions · 2025-01-02T18:27:10Z

Amplify deployment status

Branch	Commit	Job ID	Status	Preview	Updated (UTC)
joerger/sso-mfa-docs	`055b7e2`	4	✅SUCCEED	joerger-sso-mfa-docs	2025-01-03 21:29:04

ptgott · 2025-01-02T22:05:02Z

I still need to give this a proper review, but there are some internal links we need to fix for the preview build to work:

content/current/docs/pages/admin-guides/access-controls/sso/sso.mdx
    422:3-422:43  warning  Link to unknown file: `per-session-mfa.mdx`        missing-file  remark-validate-links
    423:3-423:4[9](https://github.com/gravitational/teleport/actions/runs/12586952343/job/35081837336#step:8:10)  warning  Link to unknown file: `moderated-sessions.mdx`     missing-file  remark-validate-links
    424:3-424:47  warning  Link to unknown file: `mfa-for-admin-actions.mdx`  missing-file  remark-validate-links
  437:66-437:[10](https://github.com/gravitational/teleport/actions/runs/12586952343/job/35081837336#step:8:11)6  warning  Link to unknown file: `per-session-mfa.mdx`        missing-file  remark-validate-links

docs/pages/admin-guides/access-controls/sso/sso.mdx

ptgott · 2025-01-03T20:30:59Z

docs/pages/admin-guides/access-controls/sso/sso.mdx

+<TabItem label="OIDC">
+
+```yaml
+(!/examples/resources/oidc-connector-mfa.yaml!)


The partial doesn't render here—do we need to remove the leading slash?

This also appears to be the case for existing sections in the preview, but those sections do load in the actual docs site.

docs/pages/admin-guides/access-controls/sso/sso.mdx

Joerger · 2025-01-06T18:32:57Z

Friendly ping to review @nklaassen @kiosion @mmcallister

docs/pages/admin-guides/access-controls/sso/sso.mdx

examples/resources/saml-connector-mfa.yaml

nklaassen · 2025-01-06T19:34:55Z

docs/pages/admin-guides/access-controls/sso/sso.mdx

+### Configure the IDP App / Client
+
+There is no standardized MFA flow unlike there is with SAML/OIDC login, so
+each IDP may offer zero, one, or more ways to offer MFA checks.
+
+Teleport does not make any assumptions as to how the MFA app is configured.
+If desired, you could even use your basic login flow with username, password,
+and MFA device.


the example yaml's seem to suggest the user should create a separate app in the IDP for doing MFA, should we be more explicit about suggesting that in this section? It feels like we're not really telling people what they need to do here

This is intentionally left vague and meant as an exercise for the reader to set up their own specific solution. You could set up a separate app or use the same app depending on the IDP offerings.

You're right it is too vague though, I will leave a couple examples and more guidance. My only concern is that I haven't actually been able to test these approaches with MFA enabled, since we don't have access to an enterprise Okta or Auth0 account for testing. In my testing I've most used a custom Auth0 Action which displays a fake webauthn prompt (no-op button) in place of an actual MFA prompt.

Add SSO MFA docs.

46c50b0

Joerger added documentation no-changelog Indicates that a PR does not require a changelog entry backport/branch/v17 labels Dec 21, 2024

Joerger temporarily deployed to vercel December 21, 2024 02:02 — with GitHub Actions Inactive

github-actions bot requested review from kiosion, mmcallister, nklaassen, ptgott, r0mant, xinding33 and zmb3 December 21, 2024 02:03

github-actions bot added the size/md label Dec 21, 2024

zmb3 reviewed Dec 21, 2024

View reviewed changes

Address comments from zmb3.

0511fc8

Joerger requested a review from zmb3 January 2, 2025 18:25

Joerger temporarily deployed to docs-amplify January 2, 2025 18:25 — with GitHub Actions Inactive

Fix links; minor style fix.

78a5655

Joerger temporarily deployed to docs-amplify January 2, 2025 23:35 — with GitHub Actions Inactive

ptgott approved these changes Jan 3, 2025

View reviewed changes

Address comments.

63c3ddb

Joerger temporarily deployed to docs-amplify January 3, 2025 21:19 — with GitHub Actions Inactive

Try removing leading / in example links.

055b7e2

Joerger temporarily deployed to docs-amplify January 3, 2025 21:20 — with GitHub Actions Inactive

nklaassen reviewed Jan 6, 2025

View reviewed changes

Address Nic's comments.

00e7e2a

Joerger mentioned this pull request Jan 6, 2025

SSO MFA tracker #46576

Open

Joerger requested a review from nklaassen January 7, 2025 03:15

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add SSO MFA docs #50533

Add SSO MFA docs #50533

Joerger commented Dec 21, 2024

github-actions bot commented Dec 21, 2024

github-actions bot commented Jan 2, 2025 •

edited

Loading

ptgott commented Jan 2, 2025

ptgott Jan 3, 2025

Joerger Jan 3, 2025

Joerger commented Jan 6, 2025

nklaassen Jan 6, 2025

Joerger Jan 6, 2025 •

edited

Loading

Add SSO MFA docs #50533

Are you sure you want to change the base?

Add SSO MFA docs #50533

Conversation

Joerger commented Dec 21, 2024

github-actions bot commented Dec 21, 2024

github-actions bot commented Jan 2, 2025 • edited Loading

ptgott commented Jan 2, 2025

ptgott Jan 3, 2025

Choose a reason for hiding this comment

Joerger Jan 3, 2025

Choose a reason for hiding this comment

Joerger commented Jan 6, 2025

nklaassen Jan 6, 2025

Choose a reason for hiding this comment

Joerger Jan 6, 2025 • edited Loading

Choose a reason for hiding this comment

github-actions bot commented Jan 2, 2025 •

edited

Loading

Joerger Jan 6, 2025 •

edited

Loading