From f057b7523bcfdfd63608d3cecb7cbbe0b95ac378 Mon Sep 17 00:00:00 2001
From: Zac Bergquist <zac.bergquist@goteleport.com>
Date: Fri, 11 Mar 2022 16:22:24 -0700
Subject: [PATCH] Update docs for FIPS users

In order to configure WebAuthn on FIPS builds, you must set
local_auth to false and second_factor to optional.

Fixes #11080
---
 .../access-controls/guides/per-session-mfa.mdx   | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/docs/pages/access-controls/guides/per-session-mfa.mdx b/docs/pages/access-controls/guides/per-session-mfa.mdx
index 3fd942e371f20..299e7cfcbe673 100644
--- a/docs/pages/access-controls/guides/per-session-mfa.mdx
+++ b/docs/pages/access-controls/guides/per-session-mfa.mdx
@@ -17,12 +17,10 @@ This is an advanced security feature that protects users against compromises of
 their on-disk Teleport certificates.
 
 <Admonition type="note">
-
   In addition to per-session MFA, enable login MFA in your SSO provider and/or
   for all [local Teleport
   users](../../setup/reference/authentication.mdx#local-no-authentication-connector)
   to improve security.
-
 </Admonition>
 
 <Details
@@ -51,6 +49,20 @@ their on-disk Teleport certificates.
   https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/) (if using
   SSH from the Teleport Web UI)
 
+<Admonition type="note" title="Per-session MFA with FIPS">
+Teleport FIPS builds disable local users. To configure WebAuthn in order to use
+per-session MFA with FIPS builds, provide the following in your `teleport.yaml`:
+
+```yaml
+teleport:
+  auth_service:
+    local_auth: false
+    second_factor: optional
+    webauthn:
+      rp_id: teleport.example.com
+```
+</Admonition>
+
 ## Configuration
 
 Per-session MFA can be enforced cluster-wide or only for some specific roles.