Teleport Feature Matrix
The Teleport feature matrix lists capabilities of the Teleport Infrastructure Identity Platform, organized by product.
The Teleport Identity Infrastructure Platform modernizes identity, access, and policy for infrastructure, for both human and non-human identities. Products include:
- Teleport Zero Trust Access
- Teleport Machine & Workload Identity
- Teleport Identity Governance
- Teleport Identity Security
Teleport Zero Trust Access
Teleport Zero Trust Access provides engineers with least privileged access to applications, servers, databases, Kubernetes clusters, and other resources across distributed infrastructures.
| Enterprise (Cloud) | Enterprise (Self-Hosted) | Community Edition | |
|---|---|---|---|
| User identity. Authenticate users without passwords: | |||
| Single Sign-On | GitHub, Google Workspace, Microsoft Entra ID, Okta, OIDC, SAML, Teleport | GitHub, Google Workspace, Microsoft Entra ID, Okta, OIDC, SAML, Teleport | GitHub |
| User & Group Provisioning & Deprovisioning (SCIM & Custom Protocols), including Okta and Entra | Available In Teleport Identity Governance | Available In Teleport Identity Governance | ✖ |
| Hardware Private Key Support (e.g., via YubiKey) | ✔ (External-connected HSM/KMS coming soon) | ✔ | ✖ |
| Per-Session MFA | ✔ | ✔ | ✔ |
| Resource identity. Assign a cryptographic identity to every Teleport Protected Resource: | |||
| Protecting: Applications, Databases, Kubernetes Clusters, Linux Servers, Windows Servers, Windows Desktops, Cloud Consoles & Resources (AWS, Azure, GCP), GitHub | ✔ | ✔ | ✔ (does not include Oracle support) |
| Secure remote access. Zero-trust, auditable access to your infrastructure: | |||
| Dynamic, self-updating inventory | ✔ | ✔ | ✔ |
| Supports SSH, RDP, Kubernetes, Databases, AWS, Azure, GCP API and CLI, Web applications and services, TCP endpoints for Linux, Windows and MacOS. | ✔ | ✔ | ✔ |
| Machines and workloads | Available in Teleport Machine & Workload Identity | Available in Teleport Machine & Workload Identity | Available in Teleport Machine & Workload Identity |
| Agentless Integration with OpenSSH Servers | ✔ | ✔ | ✔ |
| IP-Based Restrictions | ✔ | ✔ | ✖ |
| Teleport VNet | ✔ | ✔ | ✔ |
| Short-lived privileges. Ephemeral authorization granted through short-lived certificates: | |||
| Role-Based Access Control | ✔ | ✔ | ✔ |
| Just-in-Time Access Requests & Reviews | Available in Teleport Identity Governance | Available in Teleport Identity Governance | Only can request roles through CLI |
| Session recording and interactive controls. Record, replay, join, and moderate interactive sessions: | |||
| Session Recording with Playback | ✔ | ✔ | ✔ |
| Enhanced Session Recording | ✔ | ✔ | ✔ |
| Recording Proxy Mode | ✖ | ✔ | ✔ |
| Live Sessions View | SSH, Kubernetes, Desktops, Databases | SSH, Kubernetes, Desktops, Databases | SSH, Kubernetes, Desktops, Databases |
| Protocol-Level Events, for all supported resources | ✔ | ✔ | ✔ |
| Dual Authorization | ✔ | ✔ | ✖ |
| Session Sharing & Moderation | ✔ | ✔ | ✖ |
| Identity-based audit events: | |||
| Structured Audit Logs | ✔ | ✔ | ✔ |
| Export to SIEM | ✔ | ✔ | ✔ |
| Regulatory standards and frameworks: | |||
| FedRAMP Control | ✖ | ✔ | ✖ |
| FIPS-compliant binaries for FedRAMP (Low, Moderate, High) | ✖ | ✔ | ✖ |
| DORA, SOX, ISO, NIS2, PCI DSS, SOC 2, HIPAA, NIST | ✔ | ✔ | Limited |
Teleport Machine & Workload Identity
Teleport Machine & Workload Identity is a non-human identity management solution that secures machine-to-machine communication with short-lived certificates, access control, and auditability.
| Enterprise (Cloud) | Enterprise (Self-Hosted) | Community Edition | |
|---|---|---|---|
| Service Discovery: Live inventory of machine and workload identities for CI/CD jobs, microservices, and others | ✔ | ✔ | ✔ |
| Issuance: Provisions cryptographic identities for machines and workloads, eliminating anonymous computing and the need for static over-privileged users and automating certificate rotation | ✔ | ✔ | ✔ |
| Secretless Authentication: Eliminates the need for API keys and long-term secrets with short-lived certificates. | ✔ | ✔ | ✔ |
| Ephemeral Authorization: With granular ABAC/RBAC for workload interactions | ✔ | ✔ | ✔ |
| Auditability: Audit data, exportable to SIEMs, for compliance reporting & reviews | ✔ | ✔ | ✔ |
| Integration: Supports open-source policy agents, dev tool APIs, and Cloud IAM. Others include Jenkins, Github actions, Terraform Cloud, AWS Roles anywhere and more. | ✔ | ✔ | ✔ |
| HSM and TPM support for bootstrapping, joining, and encryption | ✔ | ✔ | ✖ |
| Open Standards - JWT, SPIFFE, x509 and others to avoid vendor lock-in | ✔ | ✔ | ✔ |
| External PKI integration: Configure an external PKI hierarchy to use for issuing SPIFFE SVIDs | ✔ | ✔ | ✖ |
| Sigstore attestation: Enforce validation of container supply-chain security when issuing SPIFFE SVIDs | ✔ | ✔ | ✖ |
Teleport Identity Governance
Teleport Identity Governance hardens and monitors identities for both human and non-human identities.
| Enterprise (Cloud) | Enterprise (Self-Hosted) | Community Edition | |
|---|---|---|---|
| JIT Access Requests: Grant only those privileges necessary to complete the task at hand. Remove the need for super-privileged accounts. | ✔ | ✔ | Only can request roles through CLI |
| Automatic Access Requests & Approvals: Automate pre-defined workflows based on RBAC, ABAC, or context-based authorization. | ✔ | ✔ | ✖ |
| Access Lists & Access Reviews: Review access requests using Slack, PagerDuty, Microsoft Teams, Jira and ServiceNow. Assign managers, automate mandatory reviews, and implement custom review logic using our API and Go SDK. Integrates with AWS Identity Center. | ✔ | ✔ | ✖ |
| Session & Identity Locks: Lock suspicious or compromised identities and stop all their activity across all protocols and services. | ✔ | ✔ | ✖ |
| Device Trust: Require an up-to-date, registered device for each authentication. Teleport uses TPMs and secure enclaves to give every device a cryptographic identity. Restrict further by resource or MDM-authorization. | ✔ | ✔ | ✖ |
| User & Group Provisioning & Deprovisioning (SCIM & Custom Protocols), including Okta and Entra | ✔ | ✔ | ✖ |
| Access Monitoring & Response: Detect overly broad privileges and inspect sessions that are not using strong protection, such as multi-factor authentication or device trust. Alert on access violations and purge unused permissions with automated access rules. | ✔ | ✔ | ✖ |
| Okta integration: Configure Teleport to import and grant access to Okta applications and user groups. | ✔ | ✔ | ✖ |
| Microsoft Entra ID directory synchronization and SSO integration | ✔ | ✔ | ✖ |
Teleport Identity Security
Teleport Identity Security identifies & mitigates risk in access paths.
| Enterprise (Cloud) | Enterprise (Self-Hosted) | Community Edition | |
|---|---|---|---|
| Access Graph: Import and analysis of AWS, Azure, Okta, Microsoft Entra, GitLab and AWS IAM roles | ✔ | ✔ | ✖ |
| Discover secrets, SSH Key Scanning | ✔ | ✔ | ✖ |
| Discover standing privileges | ✔ | ✔ | ✖ |
| Analyze shadow access and drift of security posture | ✔ | ✔ | ✖ |
| Investigate identity vulnerabilities and potential exposures | ✔ | ✔ | ✖ |
| Monitor critical assets with Crown Jewel Alerting | ✔ | ✔ | ✖ |
Platform integrations, management, licensing, and deployment
| Enterprise (Cloud) | Enterprise (Self-Hosted) | Community Edition | |
|---|---|---|---|
| Integrations: | |||
| Infrastructure as Code (IaC): Terraform, K8s Operator | ✔ | ✔ | ✔ |
| Cloud Providers: AWS, Azure, GCP | ✔ | ✔ | ✔ |
| Security Information & Event Management (SIEM): Elastic, Splunk, Panther, and anything else that integrates with Fluentd | ✔ | ✔ | ✔ |
| ITSM: ServiceNow, JIRA | ✔ | ✔ | ✖ |
| Access Request Integration: Slack, Teams, Discord, Mattermost, PagerDuty, Opsgenie, Email | ✔ | ✔ | ✔ |
| Hardware Private Key Support (e.g., via YubiKey) | ✔ (External-connected HSM/KMS coming soon) | ✔ | ✖ |
| Hardware Security Module support for encryption at rest | ✔ (External-connected HSM/KMS coming soon) | ✔ | ✖ |
| Management and licensing: | |||
| Annual or multi-year contracts, volume discounts | ✔ | ✔ | ✖ |
| Anonymized Usage Tracking | ✔ | ✔ | Opt-in |
| Backend support | All data is stored in DynamoDB and S3 with server-side encryption. | Any S3-compatible storage for session records, many managed backends for custom audit log storage | Any S3-compatible storage for session records, many managed backends for custom audit log storage. |
| Multi-region failover using Cockroach DB | ✔ | ✔ | ✖ |
| Data storage location | Data is stored in Teleport's AWS infrastructure with audit logs/sessions optionally in customer AWS accounts. Proxy Service instances are deployed across the world for low-latency access. | Can store data anywhere in the world, on most managed cloud backends | Can store data anywhere in the world, on most managed cloud backends |
| License | Commercial | Commercial | Commercial for binaries, with restrictions: Free usage for companies with <100 employees and <US$10M annual revenue. Code on GitHub distributed via AGPL-3.0 |
| Publicly accessible domain name | A subdomain of teleport.sh | Custom | Custom |
| Support | 24x7 (Severity 1) support with premium SLAs and account managers. | 24x7 (Severity 1) support with premium SLAs and account managers | Slack community |
| Version support | Deploys last stable release with 2-3 week lag for stability. | All supported releases available to install and download. | All supported releases available to install and download. |
| Deployment options: | |||
| Teleport cloud deployment | ✔ | ✖ | ✖ |
| Self-hosted deployment | ✖ | ✔ | ✔ |
| Multi-Region High Availability | ✔ (Teleport service) | ✔ (Customer-implemented, via a supported blueprint) | ✖ |
| FIPS-compliant binaries available for FedRAMP, including Low, Moderate & High | ✖ | ✔ | ✖ |