Showing results for 
Search instead for 
Did you mean: 

Tailscale SSO OIDC

Novitiate III

Configuring a Tailscale SSO connection is pretty straightforward but there are a couple of gotchas to watch out for.  First, neither JumpCloud nor Tailscale consider each other a primary vendor so you have to use custom connections.  Second, Tailscale only supports OIDC and not SAML, like most of the other JumpCloud SSO applications.


According to the Tailscale docs you need a WebFinger file configured on your domain.   

Here are some tips: 

  • It must be located at https://your.domain/.well-known/webfinger
  • It must be served with a "content-type" of "application/json"
  • It is only used during the initial OIDC config so you should use your email address (or whoever is setting up the connection) in the "subject"
  • If your using Wordpress and your hosting provider then you have to open a support ticket to get "./well-known/webfinger" added to your site
  • It should look like this:




    "links": [
            "href": "",
            "rel": ""
    "subject": "acct:your_name@your.domain"




JumpCloud Steps:

  1. Create a new OIDC SSO application in JumpCloud
  2. Make note of the Client ID and Client Secret, you'll need these later
  3. Fill out the JumpCloud OIDC Configuration:
    1. Grant Types: Refresh Token checked
    2. Client ID: paste in from step #2
    3. Redirect URLs:
    4. Client Authentication Type: Client Secret Basic
    5. Login URL:
    6. Attribute Mapping: select both Email and Profile; the default mappings should be fine

Tailscale Steps:

  1. Open a support ticket and select "Identity Provider configuration or change"
  2. Fill out the information in the form; you'll need the Client ID and Secret from JumpCloud step #2
  3. Make sure you uncheck all the selections for the "consent" prompt, don't select anything
  4. Wait for Tailscale support to send you an email telling you that everything is ready to test
  5. Done