Skip to content

fix: Add SSO MFA support to headless login 🐛 #59051

Merged
cthach merged 4 commits intomasterfrom
cthach/issue58757
Sep 12, 2025
Merged

fix: Add SSO MFA support to headless login 🐛 #59051
cthach merged 4 commits intomasterfrom
cthach/issue58757

Conversation

@cthach
Copy link
Copy Markdown
Contributor

@cthach cthach commented Sep 11, 2025
edited
Loading

What?

Fixes #58757 && #58984

Changelog: Fixed headless login so that it supports both WebAuthn and SSO for MFA

The HeadlessRequest component now uses the standardized MFA prompt (useMfa state func and AuthnDialog component) which supports WebAuthn and SSO MFA.

Why?

The headless login component always assumed WebAuthn as the primary MFA method. This change makes it so that the user can now choose their preferred method for providing an addition auth factor instead of assuming WebAuthn.

Browser Tests

Test results from manually exercising headless login with the fix:

Browser Version Test Passed/Failed
Firefox v142.0.1 PASS ✅
Safari v18.6 (20621.3.11.11.3) PASS ✅
Chrome v140.0.7339.133 PASS ✅

Demo

This demo shows:

  1. Approving the headless login with SSO MFA (Keycloak) and then
  2. Approving the headless login with WebAuthn (Hardware key)

headless-login-mfa-fix

@cthach
fix: Add SSO MFA support to headless login
f749942 
Signed-off-by: Chris Thach <chris.thach@goteleport.com>
@cthach cthach self-assigned this Sep 11, 2025
cthach
cthach commented Sep 11, 2025
View reviewed changes
Comment thread web/packages/teleport/src/services/auth/auth.ts
@cthach cthach marked this pull request as ready for review September 11, 2025 21:09
@cthach cthach requested a review from Joerger September 11, 2025 21:09
@cthach cthach linked an issue Sep 11, 2025 that may be closed by this pull request
TSH headless request fails with SSO MFA in Safari #58984
Closed
Joerger
Joerger approved these changes Sep 12, 2025
View reviewed changes
Comment thread web/packages/teleport/src/HeadlessRequest/HeadlessRequest.tsx
Comment on lines +116 to +119
shouldShowMfaPrompt(mfa) ? (
<AuthnDialog mfaState={mfa} />
) : (
<HeadlessRequestDialog
Copy link
Copy Markdown
Contributor

@Joerger Joerger Sep 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! You made this much simpler than I thought it would be.

Copy link
Copy Markdown
Contributor Author

@cthach cthach Sep 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@Joerger
Copy link
Copy Markdown
Contributor

Joerger commented Sep 12, 2025

No need to backport to v16, SSO MFA was added in v17. I removed the tag for you.

avatus
avatus approved these changes Sep 12, 2025
View reviewed changes
Comment thread web/packages/teleport/src/components/HeadlessRequestDialog/HeadlessRequestDialog.tsx Outdated
@cthach cthach enabled auto-merge September 12, 2025 13:10
@cthach cthach removed the size/sm label Sep 12, 2025
@cthach cthach added this pull request to the merge queue Sep 12, 2025
Merged via the queue into master with commit eac4ed5 Sep 12, 2025
43 checks passed
@cthach cthach deleted the cthach/issue58757 branch September 12, 2025 13:32
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows bot commented Sep 12, 2025

@cthach See the table below for backport results.

Branch Result
branch/v17 Create PR
branch/v18 Create PR

This was referenced Sep 12, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avatus avatus avatus approved these changes

@Joerger Joerger Joerger approved these changes

Assignees

@cthach cthach

Labels

backport/branch/v17 backport/branch/v18 backport-required headless-sso mfa Issues related to Multi Factor Authentication size/md ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TSH headless request fails with SSO MFA in Safari Headless WebUI approval does not allow you to pick SSO MFA over WebAuthn

3 participants

@cthach @Joerger @avatus