@@ -418,29 +418,42 @@ SSO provider as an alternative to registering MFA devices directly with the Tele
418418This allows Teleport users to use MFA devices and custom flows configured in the SSO provider
419419to carry out privileged actions in Teleport, such as :
420420
421- - MFA device management (e.g. register or delete a webauthn device in Teleport)
422421- [Per-session MFA](../guides/per-session-mfa.mdx)
423422- [Moderated sessions](../guides/moderated-sessions.mdx)
424423- [Admin actions](../guides/mfa-for-admin-actions.mdx)
425424
426- Administrators may want to consider enabling this feature for the following benefits :
425+ Administrators may want to consider enabling this feature in order to :
427426
428- - All authentication (login and MFA) goes through the IDP, reducing administrative overhead
427+ - Make all authentication (login and MFA) go through the IDP, reducing administrative overhead
429428- Make custom MFA flows, such as prompting for 2 distinct devices for a single MFA check
430429- Integrate with non-webauthn devices supported directly by your IDP
431430
432- <Admonition type="warning ">
431+ <Admonition type="note ">
433432 SSO MFA is an enterprise feature. Only OIDC and SAML auth connectors are supported.
434433</Admonition>
435434
436435# ## Configure the IDP App / Client
437436
438- There is no standardized MFA flow unlike there is with SAML/OIDC login, so
439- each IDP may offer zero, one, or more ways to offer MFA checks.
437+ There is no standardized MFA flow unlike there is with SAML/OIDC
438+ login, so each IDP may offer zero, one, or more ways to offer MFA checks.
439+
440+ Generally, these offerings will fall under one of the following cases :
441+
442+ 1. Use a separate IDP app for MFA :
443+
444+ You can create a separate IDP app with a custom MFA flow. For example, with
445+ Auth0 (OIDC), you can create a separate app with a custom [Auth0 Action](https://auth0.com/docs/customize/actions)
446+ which prompts for MFA for an active OIDC session.
447+
448+ 2. Use the same IDP app for MFA :
449+
450+ Some IDPs provide a way to fork to different flows using the same IDP app.
451+ For example, with Okta (OIDC), you can provide `acr_values : ["phr"]` to
452+ [enforce phishing resistant authentication](https://developer.okta.com/docs/guides/step-up-authentication/main/#predefined-parameter-values).
440453
441- Teleport does not make any assumptions as to how the MFA app is configured.
442- If desired, you could even use your basic login flow with username, password,
443- and MFA device .
454+ For a simpler approach, you could use the same IDP app for both login and MFA
455+ with no adjustments. For Teleport MFA checks, the user will be required to
456+ relogin through the IDP with username, password, and MFA if required .
444457
445458<Admonition type="warning">
446459 While the customizability of SSO MFA presents multiple secure options previously
@@ -452,7 +465,7 @@ and MFA device.
452465
453466# ## Updating your authentication connector to enable MFA checks
454467
455- Take the authentication connector file `connector.yaml` created in the previous step
468+ Take the authentication connector file `connector.yaml` created in [Configuring SSO for login](#configuring-sso-for-login)
456469and add MFA settings.
457470
458471<Tabs>
0 commit comments