Resolve comments.

lib/client/api.go

@@ -4564,10 +4564,10 @@ func (tc *TeleportClient) applyAuthSettings(authSettings webclient.Authenticatio
 	var ssoURL *url.URL
 	var err error
 	switch {
-	case authSettings.OIDC != nil:
-		ssoURL, err = url.Parse(authSettings.OIDC.IssuerURL)
 	case authSettings.SAML != nil:
 		ssoURL, err = url.Parse(authSettings.SAML.SSO)
+	case authSettings.OIDC != nil:
+		ssoURL, err = url.Parse(authSettings.OIDC.IssuerURL)
 	case authSettings.Github != nil:
 		ssoURL, err = url.Parse(authSettings.Github.EndpointURL)
 	}

lib/web/apiserver.go

@@ -1321,7 +1321,10 @@ func samlSettings(connector types.SAMLConnector, cap types.AuthPreference) webcl
 			Name:                connector.GetName(),
 			Display:             connector.GetDisplay(),
 			SingleLogoutEnabled: connector.GetSingleLogoutURL() != "",
-			SSO:                 connector.GetSSO(),
+			// Note that we get the connector's primary SSO field, not the MFA SSO field.
+			// These two values are often unique, but should have the same host prefix
+			// (e.g. https://dev-813354.oktapreview.com) in reasonable, functional setups.
+			SSO: connector.GetSSO(),
 		},
 		// Local fallback / MFA.
 		SecondFactor:            types.LegacySecondFactorFromSecondFactors(cap.GetSecondFactors()),

web/packages/teleterm/src/mainProcess/rootClusterProxyHostAllowList.ts

@@ -90,9 +90,18 @@ export function manageRootClusterProxyHostAllowList({
         }
       }
 
-      // Allow the SSO hostname for SSO login/mfa redirects.
+      // Allow the SSO host for SSO login/mfa redirects.
       if (rootCluster.ssoHost) {
-        allowList.add(rootCluster.ssoHost);
+        let browserSsoHost: string;
+        try {
+          browserSsoHost = proxyHostToBrowserProxyHost(rootCluster.ssoHost);
+          allowList.add(browserSsoHost);
+        } catch (error) {
+          logger.error(
+            'Ran into an error when converting sso host to browser sso host',
+            error
+          );
+        }
       }
     }
   };