Restrict login to SSO only

[F1L337]

Is your feature request related to a problem? Please describe.

• Users should be forced to use MFA when logging in to the admin (core) dashboard (not via username/password field)
• Solution should not make it more complicated for the user to use the system if SSO is available

Describe the solution you'd like

• Option to restrict login via SSO only
  -> Avoids the need to configure MFA inside Defguard
  -> Single point of configuration (here: inside SSO only)

Describe alternatives you've considered
None, except telling future users to enable MFA.

Additional context
None

[teon]

@F1L337 I assume you mean that the login/password fields shouldn’t be visible at all - so users would be forced to use only the SSO button?
The problem with that approach is that if your SSO encounters any issues (and we’ve seen cases where external SSOs change behavior or attributes), then no one - not even the admin - would be able to log in to the core system to fix the configuration, since SSO login wouldn’t work.

How would you see this handled instead?

[F1L337]

That's correct, by default they shouldn't be visible since the SSO handles the sign in.

Let's take Nextcloud as an example:
If you already have an active SSO session and open Nextcloud, you are automatically logged in using that session.
If no active session exists, you are redirected to the SSO login page.
If the SSO service is unavailable, you can modify the URL (/login?direct=1) to access the local login page and sign in with a local user account, independent of the SSO.

That way you can access as admin in case of failure and users can skip a login.

[teon]

@F1L337 ok got it. Thats actually a good idea to have an alternative login by options.

But we will add this as an option in settings as well.