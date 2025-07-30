acr_values string ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers.

allow_unverified_email boolean AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails.

claims_to_roles []object ClaimsToRoles specifies a dynamic mapping from claims to roles.

client_id string ClientID is the id of the authentication client (Teleport Auth Service).

client_redirect_settings object ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones.

client_secret string ClientSecret is used to authenticate the client. This field supports secret lookup. See the operator documentation for more details.

display string Display is the friendly name for this provider.

google_admin_email string GoogleAdminEmail is the email of a google admin to impersonate.

google_service_account string GoogleServiceAccount is a string containing google service account credentials.

google_service_account_uri string GoogleServiceAccountURI is a path to a google service account uri.

issuer_url string IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.

max_age string MaxAge is the amount of time that user logins are valid for. If a user logs in, but then does not login again within this time period, they will be forced to re-authenticate.

mfa object MFASettings contains settings to enable SSO MFA checks through this auth connector.

pkce_mode string PKCEMode represents the configuration state for PKCE (Proof Key for Code Exchange). It can be "enabled" or "disabled"

prompt string Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.

provider string Provider is the external identity provider.

redirect_url []string RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.

scope []string Scope specifies additional scopes set by provider.

user_matchers []string UserMatchers is a set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login.