When a Fleet server has single sign-on enabled, some Fleet admins may want to disable the traditional email and password-based login form. Doing this would remove confusion amongst users who unknowingly have single sign-on-enabled accounts and attempt to log in with local credentials using their email and password.
Currently, there is no option in Fleet to disable the form-based authentication when single sign-on is enabled.
What have you tried?
I searched for options to disable local account authentication on /login in the Fleet UI, but did not find anything.
Potential solutions
When single sign-on is enabled on a Fleet server, there should be an option to have end-end users who navigate to /login be automatically redirected to the IdP login page.
Other MDMs, like Jamf, automatically redirect users when single-sign-on is configured and enabled.
Since there should always be at least one local/non-SSO user on a Fleet server (in case the SSO connection breaks), other products have implemented an option to bypass SSO authentication for local users using a special URL that only admin users can see.
What is the expected workflow as a result of your proposal?
As a result of this workflow, an admin configures and enables single sign-on on their Fleet server. The admin would enable an option for users who navigate to `/login` to be automatically redirected to the IdP authentication.
The end user who navigates to `/login` would be redirected to their IdP to complete the authentication. They would never be given the option to log in with their email and password and would not have to know to click the "Sign on with " link.
Fleet admins who have local accounts would be given a special URL to complete authentication with their local accounts.
Slack thread: https://fleetdm.slack.com/archives/C072L58U878/p1731442554627229
Problem
When a Fleet server has single sign-on enabled, some Fleet admins may want to disable the traditional email and password-based login form. Doing this would remove confusion amongst users who unknowingly have single sign-on-enabled accounts and attempt to log in with local credentials using their email and password.
Currently, there is no option in Fleet to disable the form-based authentication when single sign-on is enabled.
What have you tried?
I searched for options to disable local account authentication on
/login
in the Fleet UI, but did not find anything.Potential solutions
When single sign-on is enabled on a Fleet server, there should be an option to have end-end users who navigate to
/login
be automatically redirected to the IdP login page.Other MDMs, like Jamf, automatically redirect users when single-sign-on is configured and enabled.
Since there should always be at least one local/non-SSO user on a Fleet server (in case the SSO connection breaks), other products have implemented an option to bypass SSO authentication for local users using a special URL that only admin users can see.
What is the expected workflow as a result of your proposal?
As a result of this workflow, an admin configures and enables single sign-on on their Fleet server. The admin would enable an option for users who navigate to `/login` to be automatically redirected to the IdP authentication. The end user who navigates to `/login` would be redirected to their IdP to complete the authentication. They would never be given the option to log in with their email and password and would not have to know to click the "Sign on with