When you configure SAML as an authentication provider, and you navigate to your Teleport web login page, you're still required to click "login" with your IDP. This wasn't necessarily a problem in the past, but now that we're looking to implement Application Access, it adds another (completely unnecessary) step to the login flow.
Why
Now that we're looking to implement Teleport Application Access, the cutover is effectively going to be a DNS cutover for our backend applications to take them off of the internet. Unfortunately, when we do this, users that navigate to something like jenkins.mycompany.com will now be faced with unnecessary friction when logging in (assuming they don't yet have a teleport session, but do have an active SSO session). Once they hit the URL for jenkins, their browser redirects them to the teleport login screen where they're forced to click a button to sign in. We have no local users, so there is no reason not to assume that our users should be redirected to Okta immediately.
Unfortunately, this friction will stop us from being able to roll out Application Access to the entirety of our organization.
Workaround
Non available that I'm aware of.
cc @stevenGravy as a continuation of our slack thread.
What
When you configure SAML as an authentication provider, and you navigate to your Teleport web login page, you're still required to click "login" with your IDP. This wasn't necessarily a problem in the past, but now that we're looking to implement Application Access, it adds another (completely unnecessary) step to the login flow.
Why
Now that we're looking to implement Teleport Application Access, the cutover is effectively going to be a DNS cutover for our backend applications to take them off of the internet. Unfortunately, when we do this, users that navigate to something like
jenkins.mycompany.com
will now be faced with unnecessary friction when logging in (assuming they don't yet have a teleport session, but do have an active SSO session). Once they hit the URL forjenkins
, their browser redirects them to the teleport login screen where they're forced to click a button to sign in. We have no local users, so there is no reason not to assume that our users should be redirected to Okta immediately. Unfortunately, this friction will stop us from being able to roll out Application Access to the entirety of our organization.Workaround
Non available that I'm aware of.
cc @stevenGravy as a continuation of our slack thread.
gz#4170