diff --git a/api/types/mfa.go b/api/types/mfa.go
index ce77e09341b0b..cd4f2ce7bbfd4 100644
--- a/api/types/mfa.go
+++ b/api/types/mfa.go
@@ -125,6 +125,8 @@ func (d *MFADevice) WithoutSensitiveData() (*MFADevice, error) {
 		// OK, no sensitive secrets.
 	case *MFADevice_Webauthn:
 		// OK, no sensitive secrets.
+	case *MFADevice_Sso:
+		// OK, no sensitive secrets.
 	default:
 		return nil, trace.BadParameter("unsupported MFADevice type %T", d.Device)
 	}
@@ -146,13 +148,15 @@ func (d *MFADevice) SetExpiry(exp time.Time) { d.Metadata.SetExpiry(exp) }
 
 // MFAType returns the human-readable name of the MFA protocol of this device.
 func (d *MFADevice) MFAType() string {
-	switch d.Device.(type) {
+	switch d := d.Device.(type) {
 	case *MFADevice_Totp:
 		return "TOTP"
 	case *MFADevice_U2F:
 		return "U2F"
 	case *MFADevice_Webauthn:
 		return "WebAuthn"
+	case *MFADevice_Sso:
+		return d.Sso.ConnectorType
 	default:
 		return "unknown"
 	}
diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index e02c910f808ed..b4c936021ada1 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -6630,6 +6630,7 @@ func (a *Server) mfaAuthChallenge(ctx context.Context, user string, challengeExt
 type devicesByType struct {
 	TOTP     bool
 	Webauthn []*types.MFADevice
+	SSO      *types.SSOMFADevice
 }
 
 func groupByDeviceType(devs []*types.MFADevice, groupWebauthn bool) devicesByType {
@@ -6646,6 +6647,8 @@ func groupByDeviceType(devs []*types.MFADevice, groupWebauthn bool) devicesByTyp
 			if groupWebauthn {
 				res.Webauthn = append(res.Webauthn, dev)
 			}
+		case *types.MFADevice_Sso:
+			res.SSO = dev.GetSso()
 		default:
 			log.Warningf("Skipping MFA device of unknown type %T.", dev.Device)
 		}