Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to automatically direct Fleet users to IdP login when SSO is enabled #23915

Open
ddribeiro opened this issue Nov 18, 2024 · 2 comments
Open

Add option to automatically direct Fleet users to IdP login when SSO is enabled #23915

ddribeiro opened this issue Nov 18, 2024 · 2 comments
Labels
customer-cisneros :product Product Design department (shows up on 🦢 Drafting board)

Comments

@ddribeiro
Copy link
Member

ddribeiro commented Nov 18, 2024
edited
Loading

Slack thread: https://fleetdm.slack.com/archives/C072L58U878/p1731442554627229

Problem

When a Fleet server has single sign-on enabled, some Fleet admins may want to disable the traditional email and password-based login form. Doing this would remove confusion amongst users who unknowingly have single sign-on-enabled accounts and attempt to log in with local credentials using their email and password.

Currently, there is no option in Fleet to disable the form-based authentication when single sign-on is enabled.

What have you tried?

I searched for options to disable local account authentication on /login in the Fleet UI, but did not find anything.

Potential solutions

When single sign-on is enabled on a Fleet server, there should be an option to have end-end users who navigate to /login be automatically redirected to the IdP login page.

Other MDMs, like Jamf, automatically redirect users when single-sign-on is configured and enabled.

Since there should always be at least one local/non-SSO user on a Fleet server (in case the SSO connection breaks), other products have implemented an option to bypass SSO authentication for local users using a special URL that only admin users can see.

What is the expected workflow as a result of your proposal?

As a result of this workflow, an admin configures and enables single sign-on on their Fleet server. The admin would enable an option for users who navigate to /login to be automatically redirected to the IdP authentication.

The end user who navigates to /login would be redirected to their IdP to complete the authentication. They would never be given the option to log in with their email and password and would not have to know to click the "Sign on with " link.

Fleet admins who have local accounts would be given a special URL to complete authentication with their local accounts.
@ddribeiro ddribeiro added the :product Product Design department (shows up on 🦢 Drafting board) label Nov 18, 2024
@ddribeiro
Copy link
Member Author

#241 is somewhat related, but distinct from this request.

@JoStableford
Copy link
Contributor

Linked to Unthread ticket:

Request to disable graphical login page and enforce SSO #3575)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
customer-cisneros :product Product Design department (shows up on 🦢 Drafting board)
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ddribeiro @JoStableford