Supported SSO identity providers

Tailscale works on top of the identity provider (IdP) or single sign-on (SSO) provider that you already use.

Supported standard identity providers

Tailscale natively supports the following identity providers:

  • Apple
  • Google, including Gmail and Google Workspace (G Suite)
  • GitHub
  • Microsoft, including Microsoft Accounts, Office365, Active Directory, and Azure Active Directory (Azure AD)
  • Okta
  • OneLogin

A GitHub standalone account can only be used for a single user tailnet. A free and easy method for adding multiple users to your tailnet is to create a GitHub organization. For more information, see Creating a multi-user tailnet with GitHub organizations.

Supported custom identity providers

In addition to the natively supported identity providers, Tailscale also allows you to authenticate with custom OpenID Connect (OIDC) providers. Tailscale has successfully tested several custom identity providers, including:

  • Auth0
  • Authelia
  • Authentik
  • Dex
  • Duo
  • GitLab and GitLab self-managed
  • JumpCloud
  • Ory Network and Ory self-hosted
  • ZITADEL Cloud and ZITADEL Open Source

When you activate your domain name with Tailscale for the first time, one of the steps is to choose which identity provider you want to use.

Once you’ve authenticated a Tailscale client by connecting it to your identity provider, it automatically exchanges keys and connectivity information and connects to other Tailscale clients on your network, subject to your security policy.

Support for 2FA and MFA

Tailscale supports two-factor and multi-factor authentication.

We never handle authentication itself. Instead, you can enable 2FA and MFA features in your single sign-on identity provider, and they will apply to all your apps, including Tailscale.

Signing up with an email address

We don’t support sign-up with email addresses. By design, Tailscale is not an identity provider—there are no Tailscale passwords.

Using an identity provider is not only more secure than email and password, but it allows us to automatically rotate connection encryption keys, follow security policies set by your team (e.g., 2FA), and more.

Changing identity providers

If you need to change identity providers, contact support.

Unfortunately, we cannot migrate your tailnet from/to GitHub or Apple as an identity provider.

What Tailscale accesses from identity providers

Tailscale requests the minimum access needed to function. Tailscale only uses your organization’s team membership to ensure users can join the tailnet for their organization.

With the GitHub identity provider, Tailscale requests the minimum set of permissions needed to get team membership, which includes access to your repositories and project boards. Tailscale does not use any content in your repositories or project boards.

Identity provider availability by plan

Standard identity provider integrations Advanced identity provider integrations
Available on all plans Available on the Free, Premium, and Enterprise plans
  • Google
  • Microsoft
  • GitHub
  • Keycloak
  • Dex
  • GitLab self-managed
  • Ory self-hosted
  • ZITADEL Open Source
  • Authentik
  • Apple
  • Authelia

Last updated