On-demand access with ConductorOne

ConductorOne is a security platform that allows you to manage access requests for your Tailscale entitlements.

On-demand access to Tailscale resources can be provisioned using ConductorOne. This works by adding and removing members from groups, access rules, and SSH access rules defined in Tailscale ACLs.

ConductorOne can also be used with user & group provisioning to update group membership in Okta groups used in Tailscale ACLs, or assign the Tailscale application users in Okta.

You can connect multiple tailnets to ConductorOne simultaneously.

Prerequisites

Before you begin this guide, you’ll need a tailnet and a ConductorOne account.

Integration

See the full instructions in ConductorOne’s blog post for setting up an integration with Tailscale.

To use ConductorOne with Tailscale, you’ll need to:

  1. Generate a Tailscale API key from the keys page of the admin console.
  2. In ConductorOne, select the Tailscale integration and then click Add Connector.
    1. Choose the option to Create a new app.
    2. Set the Tailscale API key to the API key you generated.
    3. Set the Tailnet to your tailnet’s organization. For example, example.com, myemail@example.com, example.github, example.org.github, etc. You can find your organization in the Settings page of the admin console.

ConductorOne will automatically identify all the users in the tailnet and parse existing access rules in Tailscale ACLs, including SSH access rules, as entitlements in ConductorOne. The application owner in ConductorOne can specify for each entitlement, such as group membership or another SSH access rule, whether to restrict access by time, and whether to use the default application grant policy.

Now a user can request access to a specific Tailscale entitlement through the Request access page of ConductorOne and through Slack.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms