Cluster Auth Preferences Resource Reference
The cluster auth preferences resource contains global cluster configuration options for authentication.
metadata:
name: cluster-auth-preference
spec:
# Sets the list of allowed second factors for the cluster.
# Possible values: "otp", "webauthn", and "sso".
# Defaults to ["otp"].
second_factors: ["webauthn", "otp"]
# second_factors is the list of allowed second factors for the cluster.
# Possible values: "on", "otp" and "webauthn"
# If "on" is set, all MFA protocols are supported.
#
# Prefer setting second_factors instead.
#second_factor: "webauthn"
# The name of the OIDC or SAML connector. if this is not set, the first connector in the backend is used.
connector_name: ""
# webauthn is the settings for server-side Web authentication support.
webauthn:
# rp_id is the ID of the Relying Party.
# It should be set to the domain name of the Teleport installation.
#
# IMPORTANT: rp_id must never change in the lifetime of the cluster, because
# it's recorded in the registration data on the WebAuthn device. If the
# ri_id changes, all existing WebAuthn key registrations will become invalid
# and all users who use WebAuthn as the second factor will need to
# re-register.
rp_id: teleport.example.com
# Allow list of device attestation CAs in PEM format.
# If present, only devices whose attestation certificates match the
# certificates specified here may be registered (existing registrations are
# unchanged).
# If supplied in conjunction with `attestation_denied_cas`, then both
# conditions need to be true for registration to be allowed (the device
# MUST match an allowed CA and MUST NOT match a denied CA).
# By default all devices are allowed.
attestation_allowed_cas: []
# Deny list of device attestation CAs in PEM format.
# If present, only devices whose attestation certificates don't match the
# certificates specified here may be registered (existing registrations are
# unchanged).
attestation_denied_cas: []
# Enforce per-session MFA or PIV-hardware key restrictions on user login sessions.
# Possible values: true, false, "hardware_key", "hardware_key_touch".
# Defaults to false.
require_session_mfa: false
# Sets whether connections with expired client certificates will be disconnected.
disconnect_expired_cert: false
# Sets whether headless authentication is allowed.
# Headless authentication requires WebAuthn.
# Defaults to true if webauthn is configured.
allow_headless: false
# Sets whether local auth is enabled alongside any other authentication
# type.
allow_local_auth: true
# Sets whether passwordless authentication is allowed.
# Requires Webauthn to work.
allow_passwordless: false
# Sets the message of the day for the cluster.
message_of_the_day: ""
# idp is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise
idp:
# options related to the Teleport SAML IdP.
saml:
# enables access to the Teleport SAML IdP.
enabled: true
# locking_mode is the cluster-wide locking mode default.
# Possible values: "strict" or "best_effort"
locking_mode: best_effort
# default_session_ttl defines the default TTL (time to live) of certificates
# issued to the users on this cluster.
default_session_ttl: "12h"
# The type of authentication to use for this cluster.
# Possible values: "local", "oidc", "saml" and "github"
type: local
stable_unix_user_config:
# If set to true, SSH instances will use the same UID for each given
# username when automatically creating users.
enabled: false
# The range of UIDs (including both ends) used for automatic UID assignment.
first_uid: 90000
last_uid: 95000
version: v2