Integrate Tailscale with Zero Trust Network Access

In this topic, you will find general instructions on how to integrate Tailscale with Portnox™ Zero Trust Network Access.

Important:

Tailscale requires that the identity provider includes an email claim in the ID token or makes it available via the UserInfo endpoint. For example, if you use Entra ID as your identity provider, ensure that users who need to authenticate with Tailscale have the Email attribute populated in their Entra ID user profile.

Create a Portnox Cloud application configuration

In this step, you will create a configuration in Portnox Cloud that will contain all the information necessary to integrate with Tailscale.

In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/
From now on, we will call this tab the Portnox tab.
In the Cloud portal top menu, click on the Zero Trust Resources option.
On the Resources screen, click on the Create resource button.
1. In the What type of resource is this? section, select the SSO web resource option.
2. In the Authentication protocol section, select the SAML option.
3. Click on the Next button.
Optional: If you have more than one OIDC identity provider configured, select the identity provider in the Select an identity provider to use for this resource section.
In the Resource details section, enter a Resource name and optionally a Description.

In this example, we used the name Tailscale for the new application configuration but you can use any name you like.
Keep this browser tab open. You will need it later.

Create a WebFinger endpoint for Tailscale

In this section, you will create a file that will serve as a WebFinger endpoint for Tailscale, and upload this file to your web server.

When signing up for Tailscale using an OIDC identity provider, you must serve a WebFinger endpoint from your web server to prove that you are the owner of the domain. For example, if you sign up as kosh@vorlon.com, you must serve the endpoint from the following URL: https://vorlon.com/.well-known/webfinger. Make sure that you have access to the web server and can create the relevant file when signing up for Tailscale.

In a text editor of your choice, create a text file with the following content:

{
  "subject": "acct:EMAIL",
  "links": [
    {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "ISSUER"
    }
  ]
}

In the Portnox tab, click on the icon next to the Issuer field to copy the value to your clipboard.
Replace the ISSUER string in the file with the value you just copied from the Portnox tab.
Replace the EMAIL string in the file with the email address that you will use to sign up for Tailscale.

Note:
Remember to use an email that is in the same domain as the web server that will serve this file as a WebFinger endpoint.
Save the file on your local disk as webfinger (no extension).
Access your web server using FTP, Git, a third-party application, or any other means necessary depending on your provider. Then, perform the following actions on the web server:
1. Create a .well-known directory in the root directory of your web server.
2. Upload the webfinger file to the .well-known directory.
Optional: Test if the WebFinger endpoint is served correctly:
1. Go to the webfinger.net website.
2. In the Lookup WebFinger field, enter the email address that you will use to sign up for Tailscale, and then click on the icon.
3. In the JSON Resource Descriptor (JRD) section, you should see your WebFinger file.

Sign up for Tailscale using a custom OIDC identity provider

In this section, you will sign up for a new Tailscale tenant using Portnox as a custom OIDC identity provider.

Note:

If you already have a Tailscale tenant and you use an identity provider with your custom domain, you can only switch that identity provider to Portnox by contacting Tailscale support. For more information about this, refer to official Tailscale documentation.

In another tab of your browser, open the Tailscale signup page by accessing the following URL: https://login.tailscale.com/start/oidc.

From now on, we will call this tab the Tailscale tab.
In the Email address field, enter the email address that you want to use to sign up for Tailscale.
Click on the Get OIDC Issuer button.
In the Portnox tab, click on the ⧉ icon next to the Client ID field to copy the value to your clipboard.
In the Tailscale tab, paste the copied value into the Client ID field.
In the Portnox tab, click on the ⧉ icon next to the Client Secret field to copy the value to your clipboard.

Warning:
You will not be able to copy this value later. We recommend that you store it in a safe location for the future, for example, using a password manager application.
In the Tailscale tab, paste the copied value into the Client secret field.
In the Portnox tab, paste the following value into the Allowed Callback URI field: https://login.tailscale.com/a/oauth_response.

Finalize the configuration

In this section, you will finalize the configuration in Portnox Cloud and Tailscale.

Finalize the configuration in the Portnox tab.
1. Optional: Click on the Next button, and in the Policy enforcement section, in the Device risk assessment section, change the setting to Override with custom policy and then select a risk assessment policy if you want to assess risk with this application using a custom risk assessment policy, and in the Access control section, change the setting to Override with custom policy and then select an access control policy if you want to control access to this application using a custom access control policy.
2. Scroll all the way down to the end of the page, and then click on the Add resource button.
Finalize the configuration in the Tailscale tab.
1. Click on the Sign up with OIDC button.

Result: You have configured Tailscale to be accessible using Portnox Zero Trust Network Access.