Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SSO MFA test plan #51051

Merged
merged 2 commits into from
Jan 16, 2025
Merged

Add SSO MFA test plan #51051

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b9217aa
Add SSO MFA test plan.
Joerger Jan 15, 2025
fac9618
Merge branch 'master' into joerger/sso-mfa-testplan
Joerger Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 30 additions & 1 deletion .github/ISSUE_TEMPLATE/testplan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1644,6 +1644,35 @@ Verify SAML IdP service provider resource management.
- [ ] Verify that when a SAML resource is created with preset value `preset: gcp-workforce`, Teleport adds
relay state `relay_state: https://console.cloud.google/` value in the resulting resource spec.

## SSO MFA

Verify SSO MFA core functionality. The tests below should be performed once
with OIDC and once with SAML.

Configure both an OIDC connector and a SAML connector following the [Quick GitHub/SAML/OIDC Setup Tips]
and [enable MFA on them](https://goteleport.com/docs/ver/17.x/admin-guides/access-controls/sso/#configuring-sso-for-mfa-checks).

For simplicity, you can use the same IdP App (client id/secret or entity descriptor)
for both login and MFA. This way, each Teleport MFA check will make you re-login via SSO.

Ensure [SSO is allowed as a second factor](https://goteleport.com/docs/ver/17.x/admin-guides/access-controls/sso/#allowing-sso-as-an-mfa-method-in-your-cluster).
e.g. `cap.second_factors: ['webauthn', 'sso']`.

The following should work with SSO MFA, automatically opening the SSO MFA redirect URL:

- [ ] `tsh mfa ls` should display the SSO MFA device.
- [ ] SSO MFA device cannot be deleted or added
- [ ] Add another MFA device (`tsh mfa add`)
- [ ] Delete the other MFA device (`tsh --mfa-mode=sso mfa rm`)
- [ ] Moderated Sessions
- [ ] Admin Actions (e.g. `tctl tokens ls`)
- [ ] Per-session MFA
- [ ] Server Access
- [ ] File Transfers
- [ ] Kubernetes Access
- [ ] App Access
- [ ] Database Access
- [ ] Desktop Access

## Resources

Expand All @@ -1652,4 +1681,4 @@ Verify SAML IdP service provider resource management.
<!---
reference style links
-->
[Quick GitHub/SAML/OIDC Setup Tips]: https://gravitational.slab.com/posts/quick-git-hub-saml-oidc-setup-6dfp292a
[Quick GitHub/SAML/OIDC Setup Tips]: https://www.notion.so/goteleport/Quick-SSO-setup-fb1a64504115414ca50a965390105bee
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/webtestplan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -823,7 +823,7 @@ Add the following to enable read access to trusted clusters
- [Authentication connectors](https://goteleport.com/docs/setup/reference/authentication/#authentication-connectors):
- For those you might want to use clusters that are deployed on the web, specified in
parens. Or set up the connectors on a local enterprise cluster following [the guide from
our wiki](https://gravitational.slab.com/posts/quick-git-hub-saml-oidc-setup-6dfp292a).
our wiki](https://www.notion.so/goteleport/Quick-SSO-setup-fb1a64504115414ca50a965390105bee).
- [ ] GitHub (asteroid)
- [ ] SAML (platform cluster)
- [ ] OIDC (e-demo)
Expand Down
Loading