search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.52k stars 1.75k forks source link

Skip "login" button when SAML is configured #10553

Open JonGilmore opened 2 years ago

JonGilmore commented 2 years ago

What

When you configure SAML as an authentication provider, and you navigate to your Teleport web login page, you're still required to click "login" with your IDP. This wasn't necessarily a problem in the past, but now that we're looking to implement Application Access, it adds another (completely unnecessary) step to the login flow.

image

Why

Now that we're looking to implement Teleport Application Access, the cutover is effectively going to be a DNS cutover for our backend applications to take them off of the internet. Unfortunately, when we do this, users that navigate to something like jenkins.mycompany.com will now be faced with unnecessary friction when logging in (assuming they don't yet have a teleport session, but do have an active SSO session). Once they hit the URL for jenkins, their browser redirects them to the teleport login screen where they're forced to click a button to sign in. We have no local users, so there is no reason not to assume that our users should be redirected to Okta immediately. Unfortunately, this friction will stop us from being able to roll out Application Access to the entirety of our organization.

Workaround

Non available that I'm aware of.

cc @stevenGravy as a continuation of our slack thread.

gz#4170

stevenGravy commented 2 years ago

thanks for submitting @JonGilmore !