I have not tried Tailscale SSH or looked at it deeply, but as a general rule the answer is yes if the system is using delegated SSO alone to authenticate. (What I don't know is whether TS SSH supports any secondary methods like a password or SSH auth forwarding.)
You are delegating authentication, so your delegated authenticator can authenticate anything they want.
I feel like a large number of people adopting SSO/IAM systems don't fully understand this. If they do understand and are making a cost/benefit based choice to do this that's one thing, but... I think people should understand.
I've never used or examined Tailscale either, but I assumed that:
- Tailnet traffic needs to be associated with an approved device key
- Tailnet device addition needs to be signed by the offline key of another approved device
If a compromised control plane and/or SSO provider can add and approve devices on their own then the security architecture of Tailscale would be fundamentally broken. I wouldn't even call it end-to-end encrypted.
You are delegating authentication, so your delegated authenticator can authenticate anything they want.
I feel like a large number of people adopting SSO/IAM systems don't fully understand this. If they do understand and are making a cost/benefit based choice to do this that's one thing, but... I think people should understand.