Configuring a Tailscale SSO connection is pretty straightforward but there are a couple of gotchas to watch out for. First, neither JumpCloud nor Tailscale consider each other a primary vendor so you have to use custom connections. Second, Tailscale only supports OIDC and not SAML, like most of the other JumpCloud SSO applications.
Preparation:
According to the Tailscale docs you need a WebFinger file configured on your domain.
Here are some tips:
- It must be located at https://your.domain/.well-known/webfinger
- It must be served with a "content-type" of "application/json"
- It is only used during the initial OIDC config so you should use your email address (or whoever is setting up the connection) in the "subject"
- If your using Wordpress and your hosting provider then you have to open a support ticket to get "./well-known/webfinger" added to your site
- It should look like this:
{
"links": [
{
"href": "https://oauth.id.jumpcloud.com/",
"rel": "http://openid.net/specs/connect/1.0/issuer"
}
],
"subject": "acct:your_name@your.domain"
}
JumpCloud Steps:
- Create a new OIDC SSO application in JumpCloud
- Make note of the Client ID and Client Secret, you'll need these later
- Fill out the JumpCloud OIDC Configuration:
- Grant Types: Refresh Token checked
- Client ID: paste in from step #2
- Redirect URLs: https://login.tailscale.com/a/oauth_response
- Client Authentication Type: Client Secret Basic
- Login URL: https://login.tailscale.com
- Attribute Mapping: select both Email and Profile; the default mappings should be fine
Tailscale Steps:
- Open a support ticket and select "Identity Provider configuration or change"
- Fill out the information in the form; you'll need the Client ID and Secret from JumpCloud step #2
- Make sure you uncheck all the selections for the "consent" prompt, don't select anything
- Wait for Tailscale support to send you an email telling you that everything is ready to test
- Done
