Supported SSO/IDP/IAM providers

Tailscale plugs into the identity provider your company already uses, providing network-layer authorization functionality on top.

Tailscale currently supports these identity providers for login services:

  • Google GSuite (including gmail.com addresses)
  • Office365 / Azure Active Directory (including Microsoft Accounts)
  • Okta (Okta activation instructions)
  • OneLogin
  • Ping Identity
  • SAP Identity Manager

When you activate your company’s domain name with Tailscale for the first time, one of the steps is to choose which identity provider you want to use.

gmail.com addresses are treated specially: they always authenticate through Google without needing to be configured first.

Once you’ve authenticated a Tailscale agent by connecting it to your identity provider, it automatically exchanges keys and connectivity information with the Tailscale Coordination Server and connects to other Tailscale agents on your network, subject to your security policy.

Can I sign up with an email address?

We don’t support sign-up with email addresses. By design Tailscale is not an identity provider: there are no Tailscale passwords, account recovery, etc.

Using an identity provider is not only more secure than email and password, but it allow us to automatically rotate connection encryption keys, follow security policies set by your team (eg. 2FA), and more.

We plan to support more auth providers in the future. If you’d like to request support for specific providers, please let us know.

Last updated