Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SSO MFA docs #50533

Merged
merged 6 commits into from
Jan 13, 2025
Merged

Add SSO MFA docs #50533

merged 6 commits into from
Jan 13, 2025

Conversation

Joerger
Copy link
Contributor

@Joerger Joerger commented Dec 21, 2024

Add documentation for the new SSO MFA feature. See the RFD for more details.

@Joerger Joerger added documentation no-changelog Indicates that a PR does not require a changelog entry backport/branch/v17 labels Dec 21, 2024
@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-mzyc3e21c-goteleport.vercel.app/docs

@Joerger Joerger requested a review from zmb3 January 2, 2025 18:25
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 2, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
joerger/sso-mfa-docs 0d3af41 6 ✅SUCCEED joerger-sso-mfa-docs 2025-01-13 20:15:20

@ptgott
Copy link
Contributor

ptgott commented Jan 2, 2025

I still need to give this a proper review, but there are some internal links we need to fix for the preview build to work:

content/current/docs/pages/admin-guides/access-controls/sso/sso.mdx
    422:3-422:43  warning  Link to unknown file: `per-session-mfa.mdx`        missing-file  remark-validate-links
    423:3-423:4[9](https://github.com/gravitational/teleport/actions/runs/12586952343/job/35081837336#step:8:10)  warning  Link to unknown file: `moderated-sessions.mdx`     missing-file  remark-validate-links
    424:3-424:47  warning  Link to unknown file: `mfa-for-admin-actions.mdx`  missing-file  remark-validate-links
  437:66-437:[10](https://github.com/gravitational/teleport/actions/runs/12586952343/job/35081837336#step:8:11)6  warning  Link to unknown file: `per-session-mfa.mdx`        missing-file  remark-validate-links

ptgott
ptgott approved these changes Jan 3, 2025
View reviewed changes
docs/pages/admin-guides/access-controls/sso/sso.mdx Outdated Show resolved Hide resolved
docs/pages/admin-guides/access-controls/sso/sso.mdx Outdated Show resolved Hide resolved
docs/pages/admin-guides/access-controls/sso/sso.mdx Outdated
<TabItem label="OIDC">

```yaml
(!/examples/resources/oidc-connector-mfa.yaml!)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The partial doesn't render here—do we need to remove the leading slash?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also appears to be the case for existing sections in the preview, but those sections do load in the actual docs site.

docs/pages/admin-guides/access-controls/sso/sso.mdx Outdated Show resolved Hide resolved
@Joerger
Copy link
Contributor Author

Joerger commented Jan 6, 2025

Friendly ping to review @nklaassen @kiosion @mmcallister

nklaassen
nklaassen reviewed Jan 6, 2025
View reviewed changes
docs/pages/admin-guides/access-controls/sso/sso.mdx Outdated Show resolved Hide resolved
docs/pages/admin-guides/access-controls/sso/sso.mdx Outdated Show resolved Hide resolved
docs/pages/admin-guides/access-controls/sso/sso.mdx Outdated Show resolved Hide resolved
docs/pages/admin-guides/access-controls/sso/sso.mdx Outdated Show resolved Hide resolved
examples/resources/saml-connector-mfa.yaml Outdated Show resolved Hide resolved
docs/pages/admin-guides/access-controls/sso/sso.mdx Outdated
Comment on lines 436 to 443
### Configure the IDP App / Client

There is no standardized MFA flow unlike there is with SAML/OIDC login, so
each IDP may offer zero, one, or more ways to offer MFA checks.

Teleport does not make any assumptions as to how the MFA app is configured.
If desired, you could even use your basic login flow with username, password,
and MFA device.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the example yaml's seem to suggest the user should create a separate app in the IDP for doing MFA, should we be more explicit about suggesting that in this section? It feels like we're not really telling people what they need to do here

Copy link
Contributor Author

@Joerger Joerger Jan 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentionally left vague and meant as an exercise for the reader to set up their own specific solution. You could set up a separate app or use the same app depending on the IDP offerings.

You're right it is too vague though, I will leave a couple examples and more guidance. My only concern is that I haven't actually been able to test these approaches with MFA enabled, since we don't have access to an enterprise Okta or Auth0 account for testing. In my testing I've most used a custom Auth0 Action which displays a fake webauthn prompt (no-op button) in place of an actual MFA prompt.

@Joerger Joerger mentioned this pull request Jan 6, 2025
Closed
@Joerger Joerger requested a review from nklaassen January 7, 2025 03:15
@Joerger
Copy link
Contributor Author

Joerger commented Jan 13, 2025

@nklaassen Friendly ping to re-review

@Joerger Joerger enabled auto-merge January 13, 2025 20:09
@Joerger Joerger force-pushed the joerger/sso-mfa-docs branch from 00e7e2a to 0d3af41 Compare January 13, 2025 20:09
@Joerger Joerger added this pull request to the merge queue Jan 13, 2025
Merged via the queue into master with commit ce30037 Jan 13, 2025
42 checks passed
@Joerger Joerger deleted the joerger/sso-mfa-docs branch January 13, 2025 20:32
@public-teleport-github-review-bot
Copy link

@Joerger See the table below for backport results.

Branch Result
branch/v17 Create PR

@Joerger Joerger mentioned this pull request Jan 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ptgott ptgott ptgott approved these changes

@nklaassen nklaassen nklaassen approved these changes

@zmb3 zmb3 Awaiting requested review from zmb3

Assignees
No one assigned
Labels
backport/branch/v17 documentation no-changelog Indicates that a PR does not require a changelog entry size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Joerger @ptgott @zmb3 @nklaassen