[api]

Anything authenticated with SSO can be accessed by the SSO provider since they're able to approve any authorization, which means they can just log into all your stuff.

So e.g. if you use "log in with Google" on a web site, Google now has access to your account too (if they behaved badly or were compromised).

Spreading SSO auth everywhere gives the SSO provider login access to absolutely everything you have.

[coconut08]

wait so if i authenticate tailscale using google and enable tailscale ssh's google can just log into any of my tailscale ssh servers?

[api]

I have not tried Tailscale SSH or looked at it deeply, but as a general rule the answer is yes if the system is using delegated SSO alone to authenticate. (What I don't know is whether TS SSH supports any secondary methods like a password or SSH auth forwarding.)

You are delegating authentication, so your delegated authenticator can authenticate anything they want.

I feel like a large number of people adopting SSO/IAM systems don't fully understand this. If they do understand and are making a cost/benefit based choice to do this that's one thing, but... I think people should understand.

[dvzk]

I've never used or examined Tailscale either, but I assumed that:

- Tailnet traffic needs to be associated with an approved device key

- Tailnet device addition needs to be signed by the offline key of another approved device

If a compromised control plane and/or SSO provider can add and approve devices on their own then the security architecture of Tailscale would be fundamentally broken. I wouldn't even call it end-to-end encrypted.