Alexander Klizhentas

I will take a closer look today, but meanwhile re: SOC2 question: > One question I had is where the SOC 2 guide should go. It's currently in the "Enterprise"...

One afterthought - I was trying to find a better name for "Use teleport" section. Technically it's all using teleport. I think a better name would be to "connect your...

@Tener CEL looks interesting. However, we are already using predicate in Teleport elsewhere - all roles, OIDC connectors, search expressions. For that reason sticking with predicate is more reasonable choice...

@nklaassen I have successfully modeled the maps in another tool. Here is what I got: * Single map expression Each login rule only contains one expression that evaluates to a...

@nklaassen I don't think this will be hard to model lower and upper.

> A user has a single yubikey which they want to use with tsh login --piv to login to a single Teleport cluster. In this case, the user never needs...

> I agree with that, but there are a few things to consider. We may always decide to use the same slot. This would make the UX simpler. If the...

Some discussion notes: * This feature will be only available if `require_session_mfa: hardware-keys`. It will be enforced per session or cluster-wide if the auth-preference is set cluster wide. * When...

> Yes, that is my recollection as well. Touch is to be enforced by the per-session MFA settings, not PIV functionality per se. Can we use one touch activity for...

Let's proceed with your version that does not add any new configuration parameters and simply extends `require_session_mfa`. It has two advantages: * It does not introduce another, separate parameter *...