SSO guide: best practice for email 2FA (#25005)

Fleet shipped email 2FA. User story is here (#22078) - Add best practice to guides: - Email 2FA for "break-glass" user - SSO for all other users - Update pricing page to link to feature request instead of the user story. --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
fleetdm · Dec 25, 2024 · ec43ee2 · ec43ee2
1 parent 7dc840c
commit ec43ee2
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/docs/Deploy/single-sign-on-sso.md b/docs/Deploy/single-sign-on-sso.md
@@ -191,6 +191,16 @@ Here's a `SAMLResponse` sample to set the role of SSO users to `observer` in tea
 
 Each IdP will have its own way of setting these SAML custom attributes, here are instructions for how to set it for Okta: https://support.okta.com/help/s/article/How-to-define-and-configure-a-custom-SAML-attribute-statement?language=en_US.
 
+## Email two-factor authentication (2FA)
+
+If you have a "break glass" Fleet user account that's used to login to Fleet when your identify provider (IdP) goes down, you can enable email 2FA, also known as multi-factor authentication (MFA), for this user. For all other users, the best practice is to enable single-sign on (SSO). Then, you can enforce any 2FA method supported by your IdP (i.e. authenticator app, security key, etc.).
+
+Users with email 2FA enabled will get this email when they login to Fleet:
+
+![Example two-factor authentication (2FA) email](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/email-two-factor-authentication-576x638@2x.png)
+
+You can't edit the authentication method for your currently logged-in user. To enable email 2FA for a user, login with a different user who has the admin role and head to **Settings > Users**.
+
 <meta name="title" value="Single sign-on (SSO)">
 <meta name="pageOrderInSection" value="200">
 <meta name="description" value="Learn how to configure single sign-on (SSO)">
diff --git a/docs/images/email-two-factor-authentication-576x638@2x.png b/docs/images/email-two-factor-authentication-576x638@2x.png
diff --git a/handbook/company/pricing-features-table.yml b/handbook/company/pricing-features-table.yml
@@ -146,7 +146,7 @@
 #   ║ ║║║║ ║───╠╣ ╠═╣║   ║ ║ ║╠╦╝  ╠═╣║ ║ ║ ╠═╣║╣ ║║║ ║ ║║  ╠═╣ ║ ║║ ║║║║
 #   ╩ ╚╩╝╚═╝   ╚  ╩ ╩╚═╝ ╩ ╚═╝╩╚═  ╩ ╩╚═╝ ╩ ╩ ╩╚═╝╝╚╝ ╩ ╩╚═╝╩ ╩ ╩ ╩╚═╝╝╚╝
 - industryName: Two-factor authentication
-  moreInfoUrl: https://github.com/fleetdm/fleet/issues/22078
+  moreInfoUrl: https://github.com/fleetdm/fleet/issues/5478
   productCategories: [Endpoint operations,Device management,Vulnerability management]
   pricingTableCategories: [Configuration]
   usualDepartment: IT