diff --git a/docs/docs/administer/troubleshoot.mdx b/docs/docs/administer/troubleshoot.mdx index ecea651be..54bebc44a 100644 --- a/docs/docs/administer/troubleshoot.mdx +++ b/docs/docs/administer/troubleshoot.mdx @@ -165,12 +165,12 @@ sudo firezone-ctl create-or-reset-admin -## Re-enable local authentication in CLI +## Re-enable local authentication via CLI -For production deployments, we recommend adding a TOTP-based second factor to -admin accounts. If you promoted an account authenticated through an identity -provider, you can consider disabling local authentication for additional -security. +When using the local authentication method we recommend adding a +[TOTP-based second factor](/authenticate/multi-factor/) to admin accounts. +If you've configured an [OIDC](/authenticate/oidc/) or [SAML](/authenticate/saml/) +provider, you can consider disabling local authentication for additional security. If issues arise with your identity provider integration, it's possible you could be locked out of the admin portal. To re-enable local authentication so diff --git a/docs/docs/authenticate/README.mdx b/docs/docs/authenticate/README.mdx index d20859370..ceef4522f 100644 --- a/docs/docs/authenticate/README.mdx +++ b/docs/docs/authenticate/README.mdx @@ -37,11 +37,6 @@ Open a [Github issue](https://github.com/firezone/firezone/issues) to request documentation or submit a pull request to add documentation for your provider. -Need help setting up SSO? Join our [Firezone Slack group -](https://www.firezone.dev/slack?utm_source=docs.firezone.dev) for community support or -[contact us for paid, hands-on support -](https://www.firezone.dev/contact/sales?utm_source=docs.firezone.dev). - ### The OIDC Redirect URL For each OIDC provider a corresponding URL is created for redirecting to @@ -99,3 +94,6 @@ A user's connection status is shown on the Users page under the table column * DISABLED - The connection is disabled by an administrator or OIDC refresh failure. * EXPIRED - The connection is disabled due to authentication expiration or a user has not signed in for the first time. + +import SupportOptions from '@site/src/partials/_support_options.mdx'; + diff --git a/docs/docs/authenticate/local-auth.mdx b/docs/docs/authenticate/local-auth.mdx index 682e5d198..2307965ee 100644 --- a/docs/docs/authenticate/local-auth.mdx +++ b/docs/docs/authenticate/local-auth.mdx @@ -10,11 +10,19 @@ the Firezone portal. Administrators can add users and assign their passwords on the `/users` page. See [Add users](/user-guides/add-users/) for more details. :::note -For production installations, we highly recommend [enabling TOTP-based MFA](/authenticate/multi-factor/) -for any accounts using the local authentication method. +Although local authentication is quick and easy to get started with, you can +limit attack surface by [disabling local authentication](#disabling-local-authentication) +altogether. See our [OIDC](/authenticate/oidc/) or [SAML](/authenticate/saml/) guides +for details. ::: +We recommend [enabling TOTP-based MFA](/authenticate/multi-factor/) for any +accounts that use the local authentication method. + ## Disabling local authentication -If you wish to completely disable local authentication in favor of an SSO-only -approach, see our [OIDC](/authenticate/oidc/) or [SAML](/authenticate/saml/) guides. +Local authentication can be enabled or disabled from the `/settings/security` page. +If you've disabled local authentication and can no longer authenticate to the portal +to re-enable it, see our [troubleshooting guide +](/administer/troubleshoot#re-enable-local-authentication-via-cli) for re-enabling +local authentication from the CLI. diff --git a/docs/docs/deploy/security-considerations.mdx b/docs/docs/deploy/security-considerations.mdx index 811ac065e..0649c1a38 100644 --- a/docs/docs/deploy/security-considerations.mdx +++ b/docs/docs/deploy/security-considerations.mdx @@ -44,6 +44,7 @@ Shown below is a table of default ports used by Firezone services. For production deployments of Firezone, we recommend you disable local authentication altogether by setting `default['firezone']['authentication']['local']['enabled'] = false` (Omnibus-based deployments) or `LOCAL_AUTH_ENABLED=false` (Docker-based deployments). +Local authentication can also be disabled on the `/settings/security` page. :::caution Ensure you've set up a working [OIDC](/authenticate/oidc/) or [SAML](/authenticate/saml/)-based