diff --git a/lib/client/sso/ceremony.go b/lib/client/sso/ceremony.go
index b9643a52578bb..8a2a64debfe49 100644
--- a/lib/client/sso/ceremony.go
+++ b/lib/client/sso/ceremony.go
@@ -97,6 +97,7 @@ func (m *MFACeremony) Run(ctx context.Context, chal *proto.MFAAuthenticateChalle
 	}, nil
 }
 
+// Close closes resources associated with the SSO MFA ceremony.
 func (m *MFACeremony) Close() {
 	if m.close != nil {
 		m.close()
@@ -104,6 +105,7 @@ func (m *MFACeremony) Close() {
 }
 
 // NewCLIMFACeremony creates a new CLI SSO ceremony from the given redirector.
+// The returned MFACeremony takes ownership of the Redirector.
 func NewCLIMFACeremony(rd *Redirector) *MFACeremony {
 	return &MFACeremony{
 		clientCallbackURL: rd.ClientCallbackURL,
diff --git a/lib/client/sso/ceremony_test.go b/lib/client/sso/ceremony_test.go
index c86c2f63cb598..4ea904697c8aa 100644
--- a/lib/client/sso/ceremony_test.go
+++ b/lib/client/sso/ceremony_test.go
@@ -116,7 +116,6 @@ func TestCLICeremony_MFA(t *testing.T) {
 		Stderr:    stderr,
 	})
 	require.NoError(t, err)
-	t.Cleanup(rd.Close)
 
 	// Construct a fake mfa response with the redirector's client callback URL.
 	successResponseURL, err := web.ConstructSSHResponse(web.AuthParams{
@@ -132,6 +131,7 @@ func TestCLICeremony_MFA(t *testing.T) {
 	t.Cleanup(mockIdPServer.Close)
 
 	ceremony := sso.NewCLIMFACeremony(rd)
+	t.Cleanup(ceremony.Close)
 
 	// Modify handle redirect to also browse to the clickable URL printed to stderr.
 	baseHandleRedirect := ceremony.HandleRedirect