gravitational · Joerger · Nov 5, 2024 · Oct 26, 2024 · Oct 26, 2024 · Oct 26, 2024
diff --git a/api/client/webclient/webclient.go b/api/client/webclient/webclient.go
@@ -464,6 +464,8 @@ type SAMLSettings struct {
 	Display string `json:"display"`
 	// SingleLogoutEnabled is whether SAML SLO (single logout) is enabled for this auth connector.
 	SingleLogoutEnabled bool `json:"singleLogoutEnabled,omitempty"`
+	// SSO is the URL of the identity provider's SSO service.
+	SSO string
 }
 
 // OIDCSettings contains the Name and Display string for OIDC.
@@ -472,6 +474,8 @@ type OIDCSettings struct {
 	Name string `json:"name"`
 	// Display is the display name for the connector.
 	Display string `json:"display"`
+	// Issuer URL is the endpoint of the provider
+	IssuerURL string
 }
 
 // GithubSettings contains the Name and Display string for Github connector.
@@ -480,6 +484,8 @@ type GithubSettings struct {
 	Name string `json:"name"`
 	// Display is the connector display name
 	Display string `json:"display"`
+	// EndpointURL is the endpoint URL.
+	EndpointURL string
 }
 
 // DeviceTrustSettings holds cluster-wide device trust settings that are liable

diff --git a/api/profile/profile.go b/api/profile/profile.go
@@ -119,6 +119,9 @@ type Profile struct {
 
 	// SSHDialTimeout is the timeout value that should be used for SSH connections.
 	SSHDialTimeout time.Duration `yaml:"ssh_dial_timeout,omitempty"`
+
+	// SSOHostname is the hostname of the SSO provider used to login..
+	SSOHostname string `yaml:"sso_hostname,omitempty"`
 }
 
 // Copy returns a shallow copy of p, or nil if p is nil.

diff --git a/gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go
diff --git a/gen/proto/ts/teleport/lib/teleterm/v1/cluster_pb.ts b/gen/proto/ts/teleport/lib/teleterm/v1/cluster_pb.ts
diff --git a/lib/client/api.go b/lib/client/api.go
@@ -516,6 +516,9 @@ type Config struct {
 	// HasTouchIDCredentialsFunc allows tests to override touchid.HasCredentials.
 	// If nil touchid.HasCredentials is used.
 	HasTouchIDCredentialsFunc func(rpID, user string) bool
+
+	// SSOHostname is the hostname of the SSO provider used to login..
+	SSOHostname string
 }
 
 // CachePolicy defines cache policy for local clients
@@ -847,6 +850,8 @@ func (c *Config) LoadProfile(ps ProfileStore, proxyAddr string) error {
 	c.PIVSlot = profile.PIVSlot
 	c.SAMLSingleLogoutEnabled = profile.SAMLSingleLogoutEnabled
 	c.SSHDialTimeout = profile.SSHDialTimeout
+	c.SSOHostname = profile.SSOHostname
+
 	c.AuthenticatorAttachment, err = parseMFAMode(profile.MFAMode)
 	if err != nil {
 		return trace.BadParameter("unable to parse mfa mode in user profile: %v.", err)
@@ -897,6 +902,7 @@ func (c *Config) Profile() *profile.Profile {
 		PIVSlot:                       c.PIVSlot,
 		SAMLSingleLogoutEnabled:       c.SAMLSingleLogoutEnabled,
 		SSHDialTimeout:                c.SSHDialTimeout,
+		SSOHostname:                   c.SSOHostname,
 	}
 }
 
@@ -4261,7 +4267,9 @@ You may use the --skip-version-check flag to bypass this check.
 	// cached, there is no need to do this test again.
 	tc.TLSRoutingConnUpgradeRequired = client.IsALPNConnUpgradeRequired(ctx, tc.WebProxyAddr, tc.InsecureSkipVerify)
 
-	tc.applyAuthSettings(pr.Auth)
+	if err := tc.applyAuthSettings(pr.Auth); err != nil {
+		return nil, trace.Wrap(err)
+	}
 
 	tc.lastPing = pr
 
@@ -4540,7 +4548,7 @@ func (tc *TeleportClient) applyProxySettings(proxySettings webclient.ProxySettin
 
 // applyAuthSettings updates configuration changes based on the advertised
 // authentication settings, overriding existing fields in tc.
-func (tc *TeleportClient) applyAuthSettings(authSettings webclient.AuthenticationSettings) {
+func (tc *TeleportClient) applyAuthSettings(authSettings webclient.AuthenticationSettings) error {
 	tc.LoadAllCAs = authSettings.LoadAllCAs
 
 	// If PIVSlot is not already set, default to the server setting.
@@ -4552,6 +4560,25 @@ func (tc *TeleportClient) applyAuthSettings(authSettings webclient.Authenticatio
 	if authSettings.PrivateKeyPolicy != "" && !authSettings.PrivateKeyPolicy.IsSatisfiedBy(tc.PrivateKeyPolicy) {
 		tc.PrivateKeyPolicy = authSettings.PrivateKeyPolicy
 	}
+
+	var ssoURL *url.URL
+	var err error
+	switch {
+	case authSettings.OIDC != nil:
+		ssoURL, err = url.Parse(authSettings.OIDC.IssuerURL)
+	case authSettings.SAML != nil:
+		ssoURL, err = url.Parse(authSettings.SAML.SSO)
+	case authSettings.Github != nil:
+		ssoURL, err = url.Parse(authSettings.Github.EndpointURL)
+	}
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	if ssoURL != nil {
+		tc.SSOHostname = ssoURL.Hostname()
+	}
+
+	return nil
 }
 
 // AddTrustedCA adds a new CA as trusted CA for this client, used in tests

diff --git a/lib/client/client_store.go b/lib/client/client_store.go
@@ -202,6 +202,7 @@ func (s *Store) ReadProfileStatus(profileName string) (*ProfileStatus, error) {
 				// Set ValidUntil to now to show that the keys are not available.
 				ValidUntil:              time.Now(),
 				SAMLSingleLogoutEnabled: profile.SAMLSingleLogoutEnabled,
+				SSOHostname:             profile.SSOHostname,
 			}, nil
 		}
 		return nil, trace.Wrap(err)
@@ -217,6 +218,7 @@ func (s *Store) ReadProfileStatus(profileName string) (*ProfileStatus, error) {
 		SiteName:                profile.SiteName,
 		KubeProxyAddr:           profile.KubeProxyAddr,
 		SAMLSingleLogoutEnabled: profile.SAMLSingleLogoutEnabled,
+		SSOHostname:             profile.SSOHostname,
 		IsVirtual:               !onDisk,
 	})
 }

diff --git a/lib/client/profile.go b/lib/client/profile.go
@@ -242,6 +242,9 @@ type ProfileStatus struct {
 	// SAMLSingleLogoutEnabled is whether SAML SLO (single logout) is enabled, this can only be true if this is a SAML SSO session
 	// using an auth connector with a SAML SLO URL configured.
 	SAMLSingleLogoutEnabled bool
+
+	// SSOHostname is the hostname of the SSO provider used to login..
+	SSOHostname string
 }
 
 // profileOptions contains fields needed to initialize a profile beyond those
@@ -255,6 +258,7 @@ type profileOptions struct {
 	KubeProxyAddr           string
 	IsVirtual               bool
 	SAMLSingleLogoutEnabled bool
+	SSOHostname             string
 }
 
 // profileStatueFromKeyRing returns a ProfileStatus for the given key ring and options.
@@ -375,6 +379,7 @@ func profileStatusFromKeyRing(keyRing *KeyRing, opts profileOptions) (*ProfileSt
 		IsVirtual:               opts.IsVirtual,
 		AllowedResourceIDs:      allowedResourceIDs,
 		SAMLSingleLogoutEnabled: opts.SAMLSingleLogoutEnabled,
+		SSOHostname:             opts.SSOHostname,
 	}, nil
 }
 

diff --git a/lib/teleterm/apiserver/handler/handler_clusters.go b/lib/teleterm/apiserver/handler/handler_clusters.go
@@ -105,6 +105,7 @@ func newAPIRootCluster(cluster *clusters.Cluster) *api.Cluster {
 			Roles:          loggedInUser.Roles,
 			ActiveRequests: loggedInUser.ActiveRequests,
 		},
+		SsoHostname: cluster.SSOHostname,
 	}
 
 	if cluster.GetProfileStatusError() != nil {

diff --git a/lib/teleterm/clusters/cluster.go b/lib/teleterm/clusters/cluster.go
@@ -62,6 +62,8 @@ type Cluster struct {
 	clusterClient *client.TeleportClient
 	// clock is a clock for time-related operations
 	clock clockwork.Clock
+	// SSOHostname is the hostname of the SSO provider used to login..
+	SSOHostname string
 }
 
 type ClusterWithDetails struct {

diff --git a/lib/teleterm/clusters/storage.go b/lib/teleterm/clusters/storage.go
@@ -245,6 +245,7 @@ func (s *Storage) fromProfile(profileName, leafClusterName string) (*Cluster, *c
 	}
 	if status != nil {
 		cluster.status = *status
+		cluster.SSOHostname = status.SSOHostname
 	}
 
 	return cluster, clusterClient, trace.Wrap(err)

diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
@@ -1300,8 +1300,9 @@ func oidcSettings(connector types.OIDCConnector, cap types.AuthPreference) webcl
 	return webclient.AuthenticationSettings{
 		Type: constants.OIDC,
 		OIDC: &webclient.OIDCSettings{
-			Name:    connector.GetName(),
-			Display: connector.GetDisplay(),
+			Name:      connector.GetName(),
+			Display:   connector.GetDisplay(),
+			IssuerURL: connector.GetIssuerURL(),
 		},
 		// Local fallback / MFA.
 		SecondFactor:            types.LegacySecondFactorFromSecondFactors(cap.GetSecondFactors()),
@@ -1320,6 +1321,7 @@ func samlSettings(connector types.SAMLConnector, cap types.AuthPreference) webcl
 			Name:                connector.GetName(),
 			Display:             connector.GetDisplay(),
 			SingleLogoutEnabled: connector.GetSingleLogoutURL() != "",
+			SSO:                 connector.GetSSO(),
 		},
 		// Local fallback / MFA.
 		SecondFactor:            types.LegacySecondFactorFromSecondFactors(cap.GetSecondFactors()),
@@ -1335,8 +1337,9 @@ func githubSettings(connector types.GithubConnector, cap types.AuthPreference) w
 	return webclient.AuthenticationSettings{
 		Type: constants.Github,
 		Github: &webclient.GithubSettings{
-			Name:    connector.GetName(),
-			Display: connector.GetDisplay(),
+			Name:        connector.GetName(),
+			Display:     connector.GetDisplay(),
+			EndpointURL: connector.GetEndpointURL(),
 		},
 		// Local fallback / MFA.
 		SecondFactor:            types.LegacySecondFactorFromSecondFactors(cap.GetSecondFactors()),

diff --git a/proto/teleport/lib/teleterm/v1/cluster.proto b/proto/teleport/lib/teleterm/v1/cluster.proto
@@ -64,6 +64,8 @@ message Cluster {
   // profile_status_error is set if there was an error when reading the profile.
   // This allows the app to be usable, when one or more profiles cannot be read.
   string profile_status_error = 12;
+  // sso_hostname is the hostname of the SSO provider used to login..
+  string sso_hostname = 13;
 }
 
 // ShowResources tells if the cluster can show requestable resources on the resources page.

diff --git a/web/packages/teleterm/src/mainProcess/rootClusterProxyHostAllowList.ts b/web/packages/teleterm/src/mainProcess/rootClusterProxyHostAllowList.ts
@@ -77,22 +77,24 @@ export function manageRootClusterProxyHostAllowList({
 
     allowList.clear();
     for (const rootCluster of rootClusters) {
-      if (!rootCluster.proxyHost) {
-        continue;
+      if (rootCluster.proxyHost) {
+        let browserProxyHost: string;
+        try {
+          browserProxyHost = proxyHostToBrowserProxyHost(rootCluster.proxyHost);
+        } catch (error) {
+          logger.error(
+            'Ran into an error when converting proxy host to browser proxy host',
+            error
+          );
+          continue;
+        }
+        allowList.add(browserProxyHost);
       }
 
-      let browserProxyHost: string;
-      try {
-        browserProxyHost = proxyHostToBrowserProxyHost(rootCluster.proxyHost);
-      } catch (error) {
-        logger.error(
-          'Ran into an error when converting proxy host to browser proxy host',
-          error
-        );
-        continue;
+      // Allow the SSO hostname for SSO login/mfa redirects.
+      if (rootCluster.ssoHostname) {
+        allowList.add(rootCluster.ssoHostname);
       }
-
-      allowList.add(browserProxyHost);
     }
   };
 

diff --git a/web/packages/teleterm/src/services/tshd/testHelpers.ts b/web/packages/teleterm/src/services/tshd/testHelpers.ts
@@ -92,6 +92,7 @@ export const makeRootCluster = (
   showResources: ShowResources.REQUESTABLE,
   profileStatusError: '',
   ...props,
+  ssoHostname: 'example.auth0.com',
 });
 
 export const makeLeafCluster = (
@@ -108,6 +109,7 @@ export const makeLeafCluster = (
   profileStatusError: '',
   showResources: ShowResources.UNSPECIFIED,
   ...props,
+  ssoHostname: 'example.auth0.com',
 });
 
 export const makeLoggedInUser = (