-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSO MFA docs #50533
base: master
Are you sure you want to change the base?
Add SSO MFA docs #50533
Conversation
🤖 Vercel preview here: https://docs-mzyc3e21c-goteleport.vercel.app/docs |
Teleport MFA checks can be delegated to your SSO provider. This allows Teleport | ||
users to use MFA devices and custom flows configured in the SSO provider to carry out | ||
privileged actions in Teleport, such as: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Teleport MFA checks can be delegated to your SSO provider. This allows Teleport | |
users to use MFA devices and custom flows configured in the SSO provider to carry out | |
privileged actions in Teleport, such as: | |
Teleport administrators can configure Teleport to delegate MFA checks to an | |
SSO provider as an alternative to registering MFA devices directly with the Teleport Cluster. | |
This allows Teleport users to use MFA devices and custom flows configured in the SSO provider to carry out privileged actions in Teleport, such as: |
|
||
Administrators may want to consider enabling this feature for the following benefits: | ||
|
||
- All authentication (login and MFA) goes through the IdP, consolidating monitoring |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- All authentication (login and MFA) goes through the IdP, consolidating monitoring | |
- All authentication (login and MFA) goes through the IdP, reducing administrative overhead |
``` | ||
|
||
You may use `entity_descriptor_url` in lieu of `entity_descriptor` to fetch | ||
the entity descriptor from your IDP. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the entity descriptor from your IDP. | |
the entity descriptor from your IdP. |
Choose one (IdP or IDP) and be consistent.
# top of active user sessions. | ||
max_age: 0 | ||
|
||
version: v3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I'd move this to the top after kind.
Add documentation for the new SSO MFA feature. See the RFD for more details.