
Teleport authenticates users either via the Proxy Service or with an identity provider via authentication connectors.
Local (no authentication connector)
Local authentication is used to authenticate against a local Teleport user
database. This database is managed by the tctl users
command. Teleport also supports multi-factor authentication (MFA) for the local
connector. There are several possible values (types) of MFA:
otp
is the default. It implements the TOTP standard. You can use Google Authenticator, Authy or any other TOTP client.webauthn
implements the Web Authentication standard for utilizing second factor authenticators and hardware devices. You can use YubiKeys, SoloKeys or any other authenticator that implements FIDO2 or FIDO U2F standards. See our Second Factor - WebAuthn guide for detailed instructions on setting up WebAuthn for Teleport.on
enables both TOTP and WebAuthn, and all local users are required to have at least one MFA device registered.optional
enables both TOTP and WebAuthn but makes it optional for users. Local users that register a MFA device will be prompted for it during login. This option is useful when you need to gradually enable MFA usage before switching the value toon
.off
turns off multi-factor authentication.
If you are using Teleport with a Single Sign-On solution, users can also register MFA devices, but Teleport will not prompt them for MFA during login. MFA for SSO users should be handled by the SSO provider.
You can modify these settings either using a static configuration file or dynamic configuration resources.
Static configuration
Add the following to your Teleport configuration file, which is stored in
/etc/teleport.yaml
by default.
auth_service:
authentication:
type: local
second_factor: off
Dynamic resource
Obtain your existing cluster_auth_preference
resource:
tctl get cap > cap.yaml
If you have not defined a cluster_auth_preference
, cap.yaml
will be blank.
Ensure that cap.yaml
includes the following content:
kind: cluster_auth_preference
metadata:
name: cluster-auth-preference
spec:
type: local
second_factor: "on"
webauthn:
rp_id: example.teleport.sh
version: v2
Create the cluster_auth_preference
resource via tctl
:
tctl create -f cap.yaml
Please use the latest version of Teleport Enterprise documentation.
Authentication connectors
Please use the latest version of Teleport Enterprise documentation.
GitHub
This connector implements GitHub's OAuth 2.0 authentication flow. Please refer to GitHub's documentation on Creating an OAuth App to learn how to create and register an OAuth app.
Here is an example of this setting in the teleport.yaml
:
auth_service:
authentication:
type: github
See GitHub OAuth 2.0 for details on how to configure it.
SAML
This connector type implements SAML authentication. It can be configured against any external identity manager like Okta or Auth0.
Here is an example of this setting in the teleport.yaml
:
auth_service:
authentication:
type: saml
OIDC
Teleport implements OpenID Connect (OIDC) authentication, which is similar to SAML in principle.
Here is an example of this setting in the teleport.yaml
:
auth_service:
authentication:
type: oidc
GitHub
This connector implements GitHub's OAuth 2.0 authentication flow. Please refer to GitHub's documentation on Creating an OAuth App to learn how to create and register an OAuth app.
Here is an example of this setting in the teleport.yaml
:
auth_service:
authentication:
type: github
See GitHub OAuth 2.0 for details on how to configure it.