Teleport administrators can configure Teleport to delegate multi-factor authentication checks to a single sign-on provider as an alternative to registering MFA devices directly with the Teleport cluster. This guide explains how to configure SSO for MFA checks.

SSO for MFA checks allows Teleport users to use MFA devices and custom flows configured in the SSO provider to carry out privileged actions in Teleport, such as:

Administrators may want to consider enabling this feature in order to:

Make all authentication (login and MFA) go through the IDP, reducing administrative overhead

Make custom MFA flows, such as prompting for 2 distinct devices for a single MFA check

Integrate with non-webauthn devices supported directly by your IDP

note SSO MFA is an enterprise feature. Only OIDC and SAML auth connectors are supported.

A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients.



This guide assumes that you are familiar with how to integrate your identity provider with Teleport. Make sure that you understand the guide in Integrate your IdP for your provider. You must already have an authentication connector configured.

There is no standardized MFA flow unlike there is with SAML/OIDC login, so each IDP may offer zero, one, or more ways to offer MFA checks.

Generally, these offerings will fall under one of the following cases:

Use a separate IDP app for MFA:

You can create a separate IDP app with a custom MFA flow. For example, with Auth0 (OIDC), you can create a separate app with a custom Auth0 Action which prompts for MFA for an active OIDC session.

Use the same IDP app for MFA:

Some IDPs provide a way to fork to different flows using the same IDP app. For example, with Okta (OIDC), you can provide acr_values: ["phr"] to enforce phishing resistant authentication.

For a simpler approach, you could use the same IDP app for both login and MFA with no adjustments. For Teleport MFA checks, the user will be required to relogin through the IDP with username, password, and MFA if required.

warning While the customizability of SSO MFA presents multiple secure options previously unavailable to administrators, it also presents the possibility of insecure misconfigurations. Therefore, we strongly advice administrators to incorporate strict, phishing-resistant checks with WebAuthn, Device Trust, or some similar security features into their custom SSO MFA flow.

Add MFA settings to your authentication connector, as shown in the following examples:

OIDC

SAML kind: oidc version: v3 metadata: name: oidc_connector spec: client_id: <LOGIN-CLIENT-NAME> client_secret: <LOGIN-CLIENT-SECRET> issuer_url: https://idp.example.com/ redirect_url: https://mytenant.teleport.sh:443/v1/webapi/oidc/callback mfa: enabled: true client_id: <MFA-CLIENT-NAME> client_secret: <MFA-CLIENT-SECRET> prompt: none acr_values: [] max_age: 0 kind: saml version: v2 metadata: name: okta spec: display: Okta entity_descriptor_url: https://example.okta.com/app/<LOGIN-APP-ID>/sso/saml/metadata acs: https://<cluster-url>/v1/webapi/saml/acs/new_saml_connector mfa: enabled: true entity_descriptor_url: https://example.okta.com/app/<MFA-APP-ID>/sso/saml/metadata force_reauth: yes You may use entity_descriptor_url in lieu of entity_descriptor to fetch the entity descriptor from your IDP. We recommend "pinning" the entity descriptor by including the XML rather than fetching from a URL.

Update the connector:

tctl create -f connector.yaml

Before you can use the SSO MFA flow we created above, you need to enable SSO for multi-factor authentication in your cluster settings. Modify the dynamic config resource using the following command:

tctl edit cluster_auth_preference

Make the following change:

kind: cluster_auth_preference version: v2 metadata: name: cluster-auth-preference spec: # ... second_factors: - webauthn + - sso