Fork me on GitHub


Teleport Enterprise

  • Available for:
  • Enterprise

Teleport Enterprise is a commercial product built around Teleport's open source core.

The table below gives a quick overview of the benefits of Teleport Enterprise.

Teleport Enterprise FeatureDescription
Single Sign-On (SSO)Allows Teleport to integrate with existing enterprise identity systems. Examples include Active Directory, GitHub, Google Apps and numerous identity middleware solutions like Auth0, Okta, and so on. Teleport supports SAML and OAuth/OpenID Connect protocols to interact with them.
Access RequestsRequest elevated access to roles or specific resources.
FedRAMP/FIPSAccess controls to meet the requirements in a FedRAMP System Security Plan (SSP). This includes a FIPS 140-2 friendly build of Teleport Enterprise as well as a variety of improvements to aid in complying with security controls even in FedRAMP High environments.
Hardware Security Module supportThe Teleport Auth Service can use your organization's HSM to generate TLS credentials, ensuring a highly reliable and secure public key infrastructure.
Moderated SessionsAllow or require moderators to be present in SSH or Kubernetes sessions.
Commercial SupportSupport SLA with guaranteed response times.
Contact Information

To get started with self-hosted Teleport Enterprise, contact sales.

You can also sign up for a free trial of Teleport Team, which manages the Auth Service and Proxy Service for you. You can then upgrade your account to Teleport Enterprise Cloud.


The commercial edition of Teleport allows users to retrieve their SSH credentials via a single sign-on (SSO) system used by the rest of the organization.

Examples of supported SSO systems include commercial solutions like Okta, Auth0, SailPoint, OneLogin Active Directory, as well as open source products like Keycloak. Other identity management systems are supported as long as they provide an SSO mechanism based on either SAML or OpenID Connect.

How does SSO work with SSH?

From the user's perspective they need to execute the following command to retrieve their SSH certificate.

tsh login

Teleport can be configured with a certificate TTL to determine how often a user needs to log in.

tsh login will print a URL into the console, which will open an SSO login prompt, along with the 2FA, as enforced by the SSO provider. If a user supplies valid credentials, Teleport will issue an SSH certificate.

Moreover, SSO can be used in combination with role-based access control (RBAC) to enforce SSH access policies like "developers must not touch production data". See the SSO chapter for more details.


With Teleport we have built the foundation to meet FedRAMP requirements for the purposes of accessing infrastructure. This includes support for FIPS 140-2, also known as the Federal Information Processing Standard, which is the US government approved standard for cryptographic modules.

Enterprise customers can download the custom FIPS package from their Teleport account.

Look for Linux 64-bit (FedRAMP/FIPS).

Using teleport start --fips Teleport will start in FIPS mode, Teleport will configure the TLS and SSH servers with FIPS compliant cryptographic algorithms. In FIPS mode, if non-compliant algorithms are chosen, Teleport will fail to start. In addition, Teleport checks if the binary was compiled against an approved cryptographic module (BoringCrypto) and fails to start if it was not.

See our FedRAMP Compliance for Infrastructure Access guide for more information.

Access Requests

With Teleport, users can request access to roles or to a specific set of resources such as a production server. Requests can be published to tools like Slack, Jira, and PagerDuty for easy integration with your organization's workflows. Teleport Enterprise's web interface also provides for creating and approving access requests.

See Access Requests Guide for more information

Hardware Security Module support

Teleport relies on a TLS private key and certificate in order to encrypt traffic and authenticate clients. With Teleport Enterprise, you can configure Teleport to use TLS credentials based on your organization's Hardware Security Module, improving the security and reliability of Teleport's public key infrastructure.

See HSM Support for more information.

Moderated Sessions

Moderated Sessions are SSH or Kubernetes sessions that certain Teleport users can participate in, observe, or terminate at will.

Teleport administrators can configure a role so that, when a user with the role starts a session, another user must join the session, satisfying your organization's security requirements.

It is also possible to configure a role to allow another user to join a session, which is useful for teams that need to collaborate at the terminal.

See Moderated Sessions for more information.

Dedicated account dashboard

Teleport Enterprise subscriptions include a dedicated account dashboard with their preferred subdomain of The dedicated account dashboard provides subscription administrators access to the license file, support links and Teleport Enterprise binary downloads.

License file

Commercial Teleport subscriptions require a valid license. See Enterprise License File for how to manage the file in your Teleport Enterprise deployment.

Next steps

To get started with Teleport Enterprise, read our deployment guides. You will learn how to deploy a high-availability, self-hosted Teleport cluster on your platform.

Unless your organization requires the Enterprise-specific features we outlined above, you can use Teleport Enterprise Cloud to achieve secure access to your infrastructure without needing to maintain the Auth and Proxy Services.

Sign up for a free trial of Teleport Team, which you can upgrade to a Teleport Enterprise Cloud account.