From 0d9d75eecccdf83d7dccf493ba5a6ee998ca6654 Mon Sep 17 00:00:00 2001
From: Zac Bergquist <zac.bergquist@goteleport.com>
Date: Fri, 11 Mar 2022 16:22:24 -0700
Subject: [PATCH] Update docs for FIPS users

In order to configure WebAuthn on FIPS builds, you must set
local_auth to false and second_factor to optional.

Fixes #11080
---
 .../access-controls/guides/per-session-mfa.mdx     | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/docs/pages/access-controls/guides/per-session-mfa.mdx b/docs/pages/access-controls/guides/per-session-mfa.mdx
index ea4c8d45c9743..0b1a798ed1a5e 100644
--- a/docs/pages/access-controls/guides/per-session-mfa.mdx
+++ b/docs/pages/access-controls/guides/per-session-mfa.mdx
@@ -49,6 +49,20 @@ their on-disk Teleport certificates.
   https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/) (if using
   SSH from the Teleport Web UI)
 
+<Admonition type="note" title="Per-session MFA with FIPS">
+Teleport FIPS builds disable local users. To configure WebAuthn in order to use
+per-session MFA with FIPS builds, provide the following in your `teleport.yaml`:
+
+```yaml
+teleport:
+  auth_service:
+    local_auth: false
+    second_factor: optional
+    webauthn:
+      rp_id: teleport.example.com
+```
+</Admonition>
+
 ## Configuration
 
 Per-session MFA can be enforced cluster-wide or only for some specific roles.