Supported SSO identity providers (Google, AzureAD, GitHub, Okta, etc)
Tailscale works on top of the SSO/IDP/IAM identity provider you or your company already use.
Tailscale supports these identity providers for logging in:
- Gmail / Google Workspace / GSuite
- Office365 / Active Directory / Azure AD (including Microsoft Accounts)
- Okta (Okta activation instructions)
- OneLogin (OneLogin activation instructions)
- Custom OIDC or SAML providers
When you activate your company’s domain name with Tailscale for the first time, one of the steps is to choose which identity provider you want to use.
Once you’ve authenticated a Tailscale client by connecting it to your identity provider, it automatically exchanges keys and connectivity information and connects to other Tailscale clients on your network, subject to your security policy.
Tailscale never handles authentication itself. Instead, you can enable 2FA/MFA features in your single sign on identity provider, and they will apply to all your apps, including Tailscale.
We don’t support sign-up with email addresses. By design, Tailscale is not an identity provider: there are no Tailscale passwords.
Using an identity provider is not only more secure than email and password, but it allow us to automatically rotate connection encryption keys, follow security policies set by your team (e.g., 2FA), and more.
If you need to change identity providers, contact support.
Tailscale requests the minimum access needed to function. Tailscale only uses your organization’s team membership to ensure users can join the tailnet for their organization.
With the GitHub identity provider, Tailscale requests the minimum set of permissions needed to get team membership, which includes access to your repositories and project boards. Tailscale does not use any content in your repositories or project boards.