Version: 19.x (unreleased)

Teleport Feature Matrix

The Teleport feature matrix lists capabilities of the Teleport Infrastructure Identity Platform, organized by product.

The Teleport Identity Infrastructure Platform modernizes identity, access, and policy for infrastructure, for both human and non-human identities. Products include:

Teleport Zero Trust Access

Teleport Zero Trust Access provides engineers with least privileged access to applications, servers, databases, Kubernetes clusters, and other resources across distributed infrastructures.

Enterprise (Cloud)Enterprise (Self-Hosted)Community Edition
User identity. Authenticate users without passwords:
Single Sign-OnGitHub, Google Workspace, Microsoft Entra ID, Okta, OIDC, SAML, TeleportGitHub, Google Workspace, Microsoft Entra ID, Okta, OIDC, SAML, TeleportGitHub
User & Group Provisioning & Deprovisioning (SCIM & Custom Protocols), including Okta and EntraAvailable In Teleport Identity GovernanceAvailable In Teleport Identity Governance
Hardware Private Key Support (e.g., via YubiKey)✔ (External-connected HSM/KMS coming soon)
Resource identity. Assign a cryptographic identity to every Teleport Protected Resource:
Protecting: Applications, Databases, Kubernetes Clusters, Linux Servers, Windows Servers, Windows Desktops, Cloud Consoles & Resources (AWS, Azure, GCP), GitHub✔ (does not include Oracle support)
Secure remote access. Zero-trust, auditable access to your infrastructure:
Dynamic, self-updating inventory
Supports SSH, RDP, Kubernetes, Databases, AWS, Azure, GCP API and CLI, Web applications and services, TCP endpoints for Linux, Windows and MacOS.
Machines and workloadsAvailable in Teleport Machine & Workload IdentityAvailable in Teleport Machine & Workload IdentityAvailable in Teleport Machine & Workload Identity
Agentless Integration with OpenSSH Servers
IP-Based Restrictions
Teleport VNet
Short-lived privileges. Ephemeral authorization granted through short-lived certificates:
Role-Based Access Control
Just-in-Time Access Requests & ReviewsAvailable in Teleport Identity GovernanceAvailable in Teleport Identity GovernanceOnly can request roles through CLI
Session recording and interactive controls. Record, replay, join, and moderate interactive sessions:
Session Recording with Playback
Enhanced Session Recording
Recording Proxy Mode
Live Sessions ViewSSH, Kubernetes, Desktops, DatabasesSSH, Kubernetes, Desktops, DatabasesSSH, Kubernetes, Desktops, Databases
Protocol-Level Events, for all supported resources
Dual Authorization
Session Sharing & Moderation
Identity-based audit events:
Structured Audit Logs
Export to SIEM
Regulatory standards and frameworks:
FedRAMP Control
FIPS-compliant binaries for FedRAMP (Low, Moderate, High)
DORA, SOX, ISO, NIS2, PCI DSS, SOC 2, HIPAA, NISTLimited

Teleport Machine & Workload Identity

Teleport Machine & Workload Identity is a non-human identity management solution that secures machine-to-machine communication with short-lived certificates, access control, and auditability.

Enterprise (Cloud)Enterprise (Self-Hosted)Community Edition
Service Discovery: Live inventory of machine and workload identities for CI/CD jobs, microservices, and others
Issuance: Provisions cryptographic identities for machines and workloads, eliminating anonymous computing and the need for static over-privileged users and automating certificate rotation
Secretless Authentication: Eliminates the need for API keys and long-term secrets with short-lived certificates.
Ephemeral Authorization: With granular ABAC/RBAC for workload interactions
Auditability: Audit data, exportable to SIEMs, for compliance reporting & reviews
Integration: Supports open-source policy agents, dev tool APIs, and Cloud IAM. Others include Jenkins, Github actions, Terraform Cloud, AWS Roles anywhere and more.
HSM and TPM support for bootstrapping, joining, and encryption
Open Standards - JWT, SPIFFE, x509 and others to avoid vendor lock-in
External PKI integration: Configure an external PKI hierarchy to use for issuing SPIFFE SVIDs
Sigstore attestation: Enforce validation of container supply-chain security when issuing SPIFFE SVIDs

Teleport Identity Governance

Teleport Identity Governance hardens and monitors identities for both human and non-human identities.

Enterprise (Cloud)Enterprise (Self-Hosted)Community Edition
JIT Access Requests: Grant only those privileges necessary to complete the task at hand. Remove the need for super-privileged accounts.Only can request roles through CLI
Automatic Access Requests & Approvals: Automate pre-defined workflows based on RBAC, ABAC, or context-based authorization.
Access Lists & Access Reviews: Review access requests using Slack, PagerDuty, Microsoft Teams, Jira and ServiceNow. Assign managers, automate mandatory reviews, and implement custom review logic using our API and Go SDK. Integrates with AWS Identity Center.
Session & Identity Locks: Lock suspicious or compromised identities and stop all their activity across all protocols and services.
Device Trust: Require an up-to-date, registered device for each authentication. Teleport uses TPMs and secure enclaves to give every device a cryptographic identity. Restrict further by resource or MDM-authorization.
User & Group Provisioning & Deprovisioning (SCIM & Custom Protocols), including Okta and Entra
Access Monitoring & Response: Detect overly broad privileges and inspect sessions that are not using strong protection, such as multi-factor authentication or device trust. Alert on access violations and purge unused permissions with automated access rules.
Okta integration: Configure Teleport to import and grant access to Okta applications and user groups.
Microsoft Entra ID directory synchronization and SSO integration

Teleport Identity Security

Teleport Identity Security identifies & mitigates risk in access paths.

Enterprise (Cloud)Enterprise (Self-Hosted)Community Edition
Access Graph: Import and analysis of AWS, Azure, Okta, Microsoft Entra, GitLab and AWS IAM roles
Discover secrets, SSH Key Scanning
Discover standing privileges
Analyze shadow access and drift of security posture
Investigate identity vulnerabilities and potential exposures
Monitor critical assets with Crown Jewel Alerting

Platform integrations, management, licensing, and deployment

Enterprise (Cloud)Enterprise (Self-Hosted)Community Edition
Integrations:
Infrastructure as Code (IaC): Terraform, K8s Operator
Cloud Providers: AWS, Azure, GCP
Security Information & Event Management (SIEM): Elastic, Splunk, Panther, and anything else that integrates with Fluentd
ITSM: ServiceNow, JIRA
Access Request Integration: Slack, Teams, Discord, Mattermost, PagerDuty, Opsgenie, Email
Hardware Private Key Support (e.g., via YubiKey)✔ (External-connected HSM/KMS coming soon)
Hardware Security Module support for encryption at rest✔ (External-connected HSM/KMS coming soon)
Management and licensing:
Annual or multi-year contracts, volume discounts
Anonymized Usage TrackingOpt-in
Backend supportAll data is stored in DynamoDB and S3 with server-side encryption.Any S3-compatible storage for session records, many managed backends for custom audit log storageAny S3-compatible storage for session records, many managed backends for custom audit log storage.
Multi-region failover using Cockroach DB
Data storage locationData is stored in Teleport's AWS infrastructure with audit logs/sessions optionally in customer AWS accounts. Proxy Service instances are deployed across the world for low-latency access.Can store data anywhere in the world, on most managed cloud backendsCan store data anywhere in the world, on most managed cloud backends
LicenseCommercialCommercialCommercial for binaries, with restrictions: Free usage for companies with <100 employees and <US$10M annual revenue. Code on GitHub distributed via AGPL-3.0
Publicly accessible domain nameA subdomain of teleport.shCustomCustom
Support24x7 (Severity 1) support with premium SLAs and account managers.24x7 (Severity 1) support with premium SLAs and account managersSlack community
Version supportDeploys last stable release with 2-3 week lag for stability.All supported releases available to install and download.All supported releases available to install and download.
Deployment options:
Teleport cloud deployment
Self-hosted deployment
Multi-Region High Availability✔ (Teleport service)✔ (Customer-implemented, via a supported blueprint)
FIPS-compliant binaries available for FedRAMP, including Low, Moderate & High