What would you like Teleport to do?

Teleport only supports MFA challenges for per-session MFA policies for an SSO user. If a user has a requirement for hardware token MFA devices (which Teleport supports), but they use an SSO provider that doesn't support those, they're kind of stuck.

It would be fantastic for Teleport to be able to require the MFA challenge after successful SSO auth as an opt-in policy/setting for users with that use-case. ADFS doesn't support a YubiKey/hardware token MFA challenge, for example.

What problem does this solve?

The proposed feature would handle use cases where a third-party Identity Provider (IDP) such as Active Directory (AD) does not natively support their preferred MFA device, like YubiKeys. This addition would be an additional layer in a multi-layered security model.

If a workaround exists, please include it.

Implementing per-session MFA can protect some Teleport Protected Resources, but has other user experience implications. It doesn't keep users from accessing the Web UI either.