Only show SSO Login on the login page.

[benarent]

Problem
Teleport lets admins quickly create users using tctl users add. This can be very handy when setting up the cluster, or adding a few Ops Admins. Once the team grows and Teleport is rolled out company wide it's preferred to login with an SSO provider. This results in a range of options for users, and for many they won't have a username, so it can be confusing.

Proposal

1. Provide an option to turn off local login and just use SSO provider
2. Provide an admin URL for companies that have a mix of SSH users and admins using local 2FA.
3. Allow a set hierarchy of login options.

[russjones]

@benarent (1) is already available, set local_auth: false in file configuration. See the following PR: #2575

For (2), when hitting the endpoint to fetch the login page, we can check if local auth is disabled and the number of local users. If local auth is disabled or no local users exist, we can show only local login. If local auth is not disabled and local users exist, we can show the current login page.

What do you think?

[alex-kovoy]

if local_auth is set to false why would we need to check for local users as well to hide these input fields?

[russjones]

@alex-kovoy If local auth is disabled or no users exists (local auth being on in this case).

[dadayoo]

@benarent (1) is already available, set local_auth: false in file configuration. See the following PR: #2575

For (2), when hitting the endpoint to fetch the login page, we can check if local auth is disabled and the number of local users. If local auth is disabled or no local users exist, we can show only local login. If local auth is not disabled and local users exist, we can show the current login page.

What do you think?

where we set local_auth: false? i'm running teleport v3.2

[robertwenquan]

tried to set local_auth: false under auth_service but seems it's not working after the service restart.

I am with Enterprise v4.0.0

# teleport version
Teleport Enterprise v4.0.0git:v4.0.0-0-gc7f55ac3 go1.12.1

[dadayoo]

tried to set local_auth: false under auth_service but seems it's not working after the service restart.

I am with Enterprise v4.0.0

# teleport version
Teleport Enterprise v4.0.0git:v4.0.0-0-gc7f55ac3 go1.12.1

emm..not working at v3.2

[alex-kovoy]

This feature request has not been implemented yet, so it's not currently possible to hide username/password input fields from web UI. So even if local auth is disabled on the server, the web UI will show these fields.

[robertwenquan]

Thanks @alex-kovoy . That solves the myth.

[webvictim]

FYI for anyone who discovers this, the syntax for the local_auth setting is:

auth_service:
  authentication:
    local_auth: false

As noted in other comments, however, it doesn't currently disable display of the login boxes - it just disables the ability to create and log in with local users.

[webvictim]

Another request for this feature today.

[benarent]

We've a lot of changes coming in 4.2 but since we've just completely rebuilt the UI this should be easier for us to execute on. I'm going to put this into the 4.2 milestone.

[benarent]

We've another use case for gravitational/gravity#1006, in which a customer simply wants to

I would like to be able to hide user/pw fields as well, while still allowing "robot" users to log in via tele login

[webvictim]

This issue is closed, but the feature hasn't been rolled out. Is this specifically targetted to Teleport 5.0 only and we won't be adding it beforehand?

[kimlisa]

@webvictim yes, the PR got merged against hornet branch which is teleport v5.