Update docs for FIPS users

In order to configure WebAuthn on FIPS builds, you must set local_auth to false and second_factor to optional. Fixes #11080
gravitational · Mar 14, 2022 · 0d9d75e · 0d9d75e
1 parent e945e62
commit 0d9d75e
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/docs/pages/access-controls/guides/per-session-mfa.mdx b/docs/pages/access-controls/guides/per-session-mfa.mdx
@@ -49,6 +49,20 @@ their on-disk Teleport certificates.
   https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/) (if using
   SSH from the Teleport Web UI)
 
+<Admonition type="note" title="Per-session MFA with FIPS">
+Teleport FIPS builds disable local users. To configure WebAuthn in order to use
+per-session MFA with FIPS builds, provide the following in your `teleport.yaml`:
+
+```yaml
+teleport:
+  auth_service:
+    local_auth: false
+    second_factor: optional
+    webauthn:
+      rp_id: teleport.example.com
+```
+</Admonition>
+
 ## Configuration
 
 Per-session MFA can be enforced cluster-wide or only for some specific roles.