Integrate your Identity Provider with Teleport
You can configure Teleport so that users authenticate with an external identity provider such as Okta or GitHub. To do so, you can create a Teleport resource called an authentication connector that contains information about your IdP and configures the Teleport roles that users assume once they authenticate.
The guides in this section show you how to integrate your IdP with Teleport.
For an overview of how Teleport integrates with single sign-on providers, see Single Sign-On.
Teleport Community Edition only supports GitHub as an identity provider. In Teleport Enterprise, you can integrate SAML and OIDC solutions as well. All editions support local users.
Integrating your provider
Integrating a provider with Teleport includes the following steps:
- Configure your IdP to register Teleport as an application, resulting in a client ID, client secret, and other data about your application.
- Determine a role mapping: When a user authenticates to Teleport, Teleport issues certificates containing the user's roles. A role mapping configures how Teleport selects roles for the user based on the user's GitHub teams, SAML attributes, or OIDC claims.
- Apply an authentication connector: The authentication connector includes information about the role mapping and Teleport application, giving Teleport the information it needs to exchange SAML, OIDC, and GitHub SSO messages with your IdP and issue certificates to users.
- Apply a cluster authentication preference: The cluster auth preference resource selects an SSO provider as the default authentication method for Teleport users.
Teleport supports the following identity providers:
- Active Directory Federation Services
- GitHub
- GitLab
- Google Workspace (G Suite)
- Keycloak
- Microsoft Entra ID (OIDC)
- Microsoft Entra ID (SAML)
- OAuth2 and OIDC
- Okta
- OneLogin
Provider-specific workarounds
Certain SSO providers may require or benefit from changes to Teleport's SSO
flow. These provider-specific changes can be enabled by setting the
spec.provider property of the connector definition to one of the following
values to match your identity provider:
adfs(SAML): Required for compatibility with Active Directory (ADFS); refer to the full ADFS guide for details.jumpcloud(SAML): Required for compatibility with JumpCloud.netiq(OIDC): Used to enable NetIQ-specific ACR value processing; refer to the OIDC guide for details.ping(SAML and OIDC): Required for compatibility with Ping Identity (including PingOne and PingFederate).okta(OIDC): Required when using Okta as an OIDC provider.
At this time, the spec.provider field should not be set for any other identity providers.
Customizing authentication buttons
Use the display field in an authentication connector to control the appearance
of SSO buttons in the Teleport Web UI.
| Provider | YAML | Example |
|---|---|---|
| GitHub | display: GitHub |  |
| Microsoft | display: Microsoft |  |
display: Google |  | |
| BitBucket | display: Bitbucket |  |
| OpenID | display: Okta |  |