Skip to content

Add SSO MFA support for desktop access#56019

Merged
Joerger merged 4 commits intomasterfrom
joerger/allow-sso-mfa
Jun 24, 2025
Merged

Add SSO MFA support for desktop access#56019
Joerger merged 4 commits intomasterfrom
joerger/allow-sso-mfa

Conversation

@Joerger
Copy link
Copy Markdown
Contributor

@Joerger Joerger commented Jun 24, 2025
edited
Loading

SSO MFA support was not fully implemented on the backend for desktop access, so the WebUI would not receive SSO MFA challenges. As a result, if the user did not have webauthn configured, it had no MFA challenges to prompt for and would fail with a per session MFA error.

Changelog: Add SSO MFA support for desktop access

Closes #55436

@github-actions github-actions Bot requested review from eriktate and probakowski June 24, 2025 00:54
probakowski
probakowski approved these changes Jun 24, 2025
View reviewed changes
Comment thread lib/web/desktop.go Outdated
@Joerger @probakowski
Update lib/web/desktop.go
d292dfc 
Co-authored-by: Przemko Robakowski <przemko.robakowski@goteleport.com>
rosstimothy
rosstimothy approved these changes Jun 24, 2025
View reviewed changes
Comment thread lib/web/desktop.go Outdated
@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from eriktate June 24, 2025 19:00
zmb3
zmb3 reviewed Jun 24, 2025
View reviewed changes
Comment thread lib/web/desktop.go
ProxyAddress: h.PublicProxyAddr(),
}, nil
},
PromptConstructor: func(...mfa.PromptOpt) mfa.Prompt {
Copy link
Copy Markdown
Collaborator

@zmb3 zmb3 Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do SSOMFACeremonyConstructor and PromptConstructor run on the same goroutine?

Copy link
Copy Markdown
Contributor Author

@Joerger Joerger Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. If the concern is that the channelID is set in SSOMFACeremonyConstructor, I believe I just did that so we aren't generating unused UUID's when SSO MFA is not an option. Seems like an unnecessary and bug prone optimization in hindsight.

@Joerger Joerger enabled auto-merge June 24, 2025 21:31
@Joerger Joerger added this pull request to the merge queue Jun 24, 2025
Merged via the queue into master with commit 6a807b1 Jun 24, 2025
40 checks passed
@Joerger Joerger deleted the joerger/allow-sso-mfa branch June 24, 2025 22:28
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows Bot commented Jun 24, 2025

@Joerger See the table below for backport results.

Branch Result
branch/v17 Create PR
branch/v18 Create PR

This was referenced Jun 24, 2025
Merged
Merged
@yashuatla yashuatla mentioned this pull request Jun 25, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@probakowski probakowski probakowski approved these changes

@zmb3 zmb3 zmb3 approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

No one assigned

Labels

backport/branch/v17 backport/branch/v18 desktop-access size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSO MFA does not work in desktop sessions

4 participants

@Joerger @probakowski @zmb3 @rosstimothy