Teleport
Description
The Teleport connector uses the Teleport Auth Server REST API to discover Teleport users, roles, and user-to-role assignments within a Teleport cluster. It authenticates using a Teleport API token and provides visibility into infrastructure access governance across SSH, Kubernetes, and database sessions managed by the Teleport PAM platform.
System Type Classification
| Field | Value |
|---|---|
| System Type | PAM Tool |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| REST API (HTTPS) | 3080 TCP | Bearer token via Authorization: Bearer {token} header |
What OrbisID Discovers
| Data | Source |
|---|---|
| Teleport users | GET /v1/users |
| Teleport roles | GET /v1/roles |
| User-to-role assignments | spec.roles array per user |
| Allowed logins | spec.allow.logins per role |
| Admin role detection | Role name containing admin → privileged |
Connection Requirements
Required Permissions
Create a Teleport role with read-only access to users and roles, then generate an API token bound to that role.
Minimum permissions:
listandreadverbs onuserresourcelistandreadverbs onroleresource
Credential Mapping
| OrbisID Field | Value |
|---|---|
credential.password | Teleport API token |
system.hostname | Teleport Proxy or Auth Server hostname |
system.port | Teleport API port (default 3080) |
Network Requirements
The OrbisID server must have HTTPS access to the Teleport Auth/Proxy server on port 3080.
Configuration Steps
- Create a read-only Teleport role for scanning:
kind: role
metadata:
name: orbisid-scanner
spec:
allow:
rules:
- resources: [user, role]
verbs: [list, read] - Create a Teleport bot or token bound to the
orbisid-scannerrole - Create a Credential in OrbisID:
- Password: Teleport API token
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., Teleport – Production Cluster) |
| OS Type | Teleport |
| System Type | PAM Tool |
| Hostname | Teleport Proxy or Auth Server hostname |
| Port | 3080 |
| Credential | The API token credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Authentication failed | Invalid or expired token | Regenerate the Teleport API token |
403 Access denied | Insufficient role permissions | Verify the role grants list and read on user and role resources |
| Cannot connect | Port 3080 blocked | Verify TCP 3080 is accessible from OrbisID |
| No roles returned | Older Teleport version | Check API path compatibility; Teleport v9+ uses /v1/roles |