Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Teleport Connect allow SSO hostname #48035

Merged
merged 11 commits into from
Nov 5, 2024
Merged

Teleport Connect allow SSO hostname #48035

merged 11 commits into from
Nov 5, 2024

Conversation

Joerger
Copy link
Contributor

@Joerger Joerger commented Oct 28, 2024
edited
Loading

Update Teleport Connect's proxy host allow list to allow opening an SSO provider's hostname.

When pinging the Teleport proxy for a specific connector, include the SSO hostname so it can be included in client-side logic determining whether a URL hostname should be trusted or not. This allow list logic only currently presides in Connect, but we may want to consider adding it to tsh and tctl as well.

Note: This change is necessary for SSO MFA to work in Connect, as Connect opens the URL within the context of the proxy host allow list.

@Joerger Joerger changed the title Teleport Connect allow SSO redirect URL Teleport Connect allow SSO hostname Oct 28, 2024
@github-actions github-actions bot requested a review from kiosion October 28, 2024 19:07
@aws-amplify-us-west-2 AWS Amplify (us-west-2)
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-48035.d3pp5qlev8mo18.amplifyapp.com

This was referenced Oct 28, 2024
Merged
Closed
ravicious
ravicious reviewed Oct 29, 2024
View reviewed changes
lib/client/profile.go Outdated Show resolved Hide resolved
lib/web/apiserver.go Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the backward compatibility story going to look like here wrt SSO MFA? Do we run into a risk of Connect v17 wanting to use SSO MFA but not being able to because the proxy is on an older version which does not send SSOHostname?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SSO MFA is being released in v17 so if we can get this in for v17.0.0 we won't have any issues.

lib/client/profile.go Show resolved Hide resolved
@Joerger Joerger added the no-changelog Indicates that a PR does not require a changelog entry label Oct 30, 2024
@Joerger Joerger requested review from ravicious and gzdunek October 30, 2024 19:49
@Joerger Joerger requested a review from ravicious November 4, 2024 18:43
ravicious
ravicious approved these changes Nov 5, 2024
View reviewed changes
web/packages/teleterm/src/mainProcess/rootClusterProxyHostAllowList.ts Outdated Show resolved Hide resolved
web/packages/teleterm/src/mainProcess/rootClusterProxyHostAllowList.ts Outdated Show resolved Hide resolved
lib/client/api.go Outdated Show resolved Hide resolved
@Joerger Joerger enabled auto-merge November 5, 2024 18:26
@Joerger Joerger added this pull request to the merge queue Nov 5, 2024
Merged via the queue into master with commit 0927b6f Nov 5, 2024
45 checks passed
@Joerger Joerger deleted the joerger/connect-allow-sso-redirect-url branch November 5, 2024 19:01
@public-teleport-github-review-bot
Copy link

@Joerger See the table below for backport results.

Branch Result
branch/v17 Create PR

@Joerger Joerger mentioned this pull request Nov 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gzdunek gzdunek gzdunek approved these changes

@ravicious ravicious ravicious approved these changes

Assignees
No one assigned
Labels
backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/sm ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Joerger @ravicious @gzdunek