Add support for MFA Challenge requirements for SSO users #41614
Labels
c-ds
Internal Customer Reference
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
mfa
Issues related to Multi Factor Authentication
sso
Used for single sign on related tasks.
Comments
programmerq
added
feature-request
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like Teleport to do?
Teleport only supports MFA challenges for per-session MFA policies for an SSO user. If a user has a requirement for hardware token MFA devices (which Teleport supports), but they use an SSO provider that doesn't support those, they're kind of stuck.
It would be fantastic for Teleport to be able to require the MFA challenge after successful SSO auth as an opt-in policy/setting for users with that use-case. ADFS doesn't support a YubiKey/hardware token MFA challenge, for example.
What problem does this solve?
The proposed feature would handle use cases where a third-party Identity Provider (IDP) such as Active Directory (AD) does not natively support their preferred MFA device, like YubiKeys. This addition would be an additional layer in a multi-layered security model.
If a workaround exists, please include it.
Implementing per-session MFA can protect some Teleport Protected Resources, but has other user experience implications. It doesn't keep users from accessing the Web UI either.
The text was updated successfully, but these errors were encountered: