Supported SSO identity providers

Tailscale works on top of the identity provider (IdP) or single sign-on (SSO) provider that you already use.

Set up an identity provider

When you activate your domain name with Tailscale for the first time, you must choose which identity provider you want to use.

You need to be an Owner of a tailnet in order to set up an identity provider.

Supported standard identity providers

Tailscale natively supports the following identity providers:

Supported custom identity providers

In addition to the natively supported identity providers, Tailscale also lets you authenticate with custom OpenID Connect (OIDC) providers. For the list of custom identity providers that Tailscale has successfully tested, see Additional provider configurations.

Support for passkeys

Tailscale supports the use of passkey authentication for any tailnet that you are authorized to join.

Signing up with an email address

Tailscale does not support sign-up with email addresses. By design, Tailscale is not an identity provider—there are no Tailscale passwords.

Using an identity provider is not only more secure than email and password, but it allows us to automatically rotate connection encryption keys, follow security policies set by your team (for example, MFA), and more.

Support for 2FA and MFA

Tailscale supports two-factor and multi-factor authentication.

Tailscale does not handle authentication itself. Instead, you can enable 2FA and MFA features in your single sign-on identity provider, and they will apply to all your apps, including Tailscale.

Changing identity providers

You need to be an Owner, Admin, or IT admin of a tailnet in order to change the identity provider configuration.

If you need to change identity providers, contact support.

Unfortunately, we cannot migrate your tailnet from/to GitHub or Apple as an identity provider.

What Tailscale accesses from identity providers

Tailscale uses OpenID Connect (OIDC) for authentication.

Tailscale requests the minimum access needed to function. When authenticating to Tailscale, you must share information about users’ emails and their name. Some providers also share a user photo; in this case, Tailscale stores the photo URL but not the photo itself.

Tailscale only uses your organization’s team membership to ensure users can join the tailnet for their organization. With the GitHub identity provider, Tailscale requests the minimum set of permissions needed to get team membership, which includes access to your repositories and project boards. Tailscale does not use any content in your repositories or project boards.

Tailscale requests the minimum number scopes required to operate, and the information on how we use your data can be found in our privacy policy.

Identity provider availability by plan

Standard identity provider integrations Advanced identity provider integrations
Available on all plans Available on the Personal, Premium, and Enterprise plans
  • Google
  • Microsoft
  • GitHub
  • Keycloak
  • Dex
  • GitLab self-managed
  • Ory self-hosted
  • ZITADEL Open Source
  • Authentik
  • Apple
  • Authelia
  • Codeberg
  • Gitea
  • Okta
  • OneLogin
  • JumpCloud
  • Auth0
  • Duo
  • GitLab
  • Ory Network
  • Ping Identity
  • ZITADEL Cloud
  • AWS Cognito
  • Other custom OIDC providers