{"slug":"tsidp","title":"tsidp","tags":["tailscale"],"agent_summary":"Last validated: Mar 10, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# tsidp\r\n\r\nLast validated: Mar 10, 2026\r\n\r\n`tsidp` is a lightweight OIDC/OAuth server that leverages Tailscale's cryptographically guaranteed [network identity](https://tailscale.com/docs/concepts/tailscale-identity) to eliminate authentication prompts while also improving security posture. With Tailscale and `tsidp`, you can securely isolate and authorize any service that supports OIDC/OAuth including self-hosted apps like Grafana and even Model Context Protocol (MCP) servers for private AI deployments with minimal effort.\r\n\r\n`tsidp` is available as an open source project at [https://github.com/tailscale/tsidp](https://github.com/tailscale/tsidp).\r\n\r\n`tsidp` is an experimental project. It is under active development and might experience breaking changes.\r\n\r\n## [How it works](https://tailscale.com/docs/features/tsidp\\#how-it-works)\r\n\r\nWhen you run `tsidp` on your Tailscale network (known as a tailnet), it exposes standard OIDC endpoints so OIDC-capable applications like Grafana and Proxmox can use it as an identity provider. The application performs OIDC discovery against the `tsidp` endpoints. When a user needs to access the application, the application presents a **Log in using Tailscale** option, and then redirects the login request to `tsidp`. `tsidp` uses the LocalAPI `whois` functionality to determine the caller's identity. `tsidp` and the application exchange information with `tsidp` ultimately sending an ID token and access token to the application. The application can verify the ID token digital signature. Optionally, the application can retrieve `userinfo` contents to retrieve information such as the user name, email, or picture, if available.\r\n\r\n`tsidp` uses [`tsnet`](https://tailscale.com/docs/features/tsnet), which lets applications programmatically make direct connections to devices in your tailnet. Among other functionality, `tsnet` provides `tsidp` with access to [LocalAPI](https://github.com/tailscale/tailscale/blob/main/ipn/localapi/localapi.go), which lets applications programmatically retrieve information about the Tailscale client, including the `whois` identity.\r\n\r\n## [Prerequisites](https://tailscale.com/docs/features/tsidp\\#prerequisites)\r\n\r\nTo set up `tsidp`, you need the following prerequisites:\r\n\r\n- A tailnet. If you do not have a tailnet, [sign up](https://login.tailscale.com/start).\r\n\r\n- A Tailscale account with [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) permissions, so you can perform the following tasks on the tailnet where you want to set up `tsidp`:\r\n  - Enable MagicDNS.\r\n  - Enable HTTPS.\r\n  - Edit the tailnet policy file.\r\n  - (Optional) Create an [authentication key](https://tailscale.com/docs/features/access-control/auth-keys) (auth key) or an [OAuth client](https://tailscale.com/docs/features/oauth-clients). The purpose is to pre-approve the `tsidp` instance when it joins your tailnet, without requiring an interactive login.\r\n- A device in your tailnet upon which you will run the `tsidp` binary.\r\n\r\n- (Recommended) Docker installed on your device. This topic assumes you have Docker installed.\r\n\r\n- Ability to create a configuration file and run CLI commands so you can run the `tsidp` binary.\r\n\r\n\r\nTo use `tsidp` with an application, the application needs to support OIDC/OAuth and needs to know which endpoints to use for a `tsidp` server. Configuring an application to know which endpoints to use is application-specific, so it is not documented here.\r\n\r\n## [Configure your tailnet](https://tailscale.com/docs/features/tsidp\\#configure-your-tailnet)\r\n\r\nYou need to perform the following tasks to configure your tailnet for `tsidp`.\r\n\r\n### [Enable MagicDNS](https://tailscale.com/docs/features/tsidp\\#enable-magicdns)\r\n\r\nMagicDNS automatically registers DNS names for devices in your tailnet. Tailnets created on or after October 20, 2022 have MagicDNS enabled by default. For information about enabling MagicDNS, refer to [Enabling MagicDNS](https://tailscale.com/docs/features/magicdns#enabling-magicdns).\r\n\r\n### [Enable HTTPS](https://tailscale.com/docs/features/tsidp\\#enable-https)\r\n\r\nEnabling HTTPS lets you provision Transport Layer Security (TLS) certificates for devices in your tailnet. The `tsidp` functionality requires your `tsidp` server to have a TLS certificate. For information about enabling HTTPS, refer to [Configure HTTPS](https://tailscale.com/docs/how-to/set-up-https-certificates).\r\n\r\n### [(Optional) Create an auth key or other credential](https://tailscale.com/docs/features/tsidp\\#optional-create-an-auth-key-or-other-credential)\r\n\r\nIf you want to pre-approve adding the `tsidp` instance to your tailnet, you need an [authentication key](https://tailscale.com/docs/features/access-control/auth-keys) (auth key) or an [OAuth client](https://tailscale.com/docs/features/oauth-clients). Without one of these credentials, you need to interactively log in the `tsidp` instance, before it can join your tailnet.\r\n\r\nFor purposes of this topic, the credential is an auth key.\r\n\r\n1. Open the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console.\r\n2. Select **Generate auth key**.\r\n3. For **Description**, enter `tsidp` or another string that you want. This value is used only for organizing your auth keys.\r\n4. (Optional) Configure other settings for the auth key. For information about auth key settings, refer to [Auth keys](https://tailscale.com/docs/features/access-control/auth-keys).\r\n5. Select **Generate key**.\r\n6. Copy the auth key value and keep it secure. It won't be shown in full again. You need the auth key value later, when you set the `TS_AUTHKEY` environment variable.\r\n7. Select **Done**.\r\n\r\n### [Set up an application capability grant](https://tailscale.com/docs/features/tsidp\\#set-up-an-application-capability-grant)\r\n\r\nAccess to the `tsidp` admin user interface and dynamic client registration (DCR) endpoints are denied by default.\r\n\r\nTo allow access, you need to set up a `tailscale.com/cap/tsidp` [application capability](https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities) (app capability) grant. For example, to let your tailnet admins access devices with the [tag](https://tailscale.com/docs/features/tags)`tag:server`, [create the tag](https://tailscale.com/docs/features/tags#define-a-tag) and [edit your tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies) to add a grant like the following:\r\n\r\n```json\r\n\"grants\": [\\\r\n  {\\\r\n    // Allow admins to access any device with the tag \"tag:server\"\\\r\n    \"src\": [\"autogroup:admin\"],\\\r\n    \"dst\": [\"tag:server\"],\\\r\n\\\r\n    \"app\": {\\\r\n      \"tailscale.com/cap/tsidp\": [\\\r\n        {\\\r\n          // allow access to UI\\\r\n          \"allow_admin_ui\": true,\\\r\n\\\r\n          // Security Token Service (STS) controls\\\r\n          \"users\":     [\"*\"],\\\r\n          \"resources\": [\"*\"],\\\r\n\\\r\n          // extraClaims are included in the id_token\\\r\n          // recommend: keep this small and simple\\\r\n          \"extraClaims\": {\\\r\n            \"bools\": true,\\\r\n            \"strings\": \"Mon Jan 2 15:04:05 MST 2006\",\\\r\n            \"numbers\": 180,\\\r\n            \"array1\": [1,2,3],\\\r\n            \"array2\": [\"one\", \"two\", \"three\"]\\\r\n          },\\\r\n\\\r\n          // include extraClaims data in /userinfo response\\\r\n          \"includeInUserInfo\": true,\\\r\n        },\\\r\n      ],\\\r\n    },\\\r\n  },\\\r\n],\r\n```\r\n\r\nThe following table describes the `app` fields when you define a `tailscale.com/cap/tsidp` app capability.\r\n\r\n| Field | Description |\r\n| --- | --- |\r\n| `allow_admin_ui` | Whether the users specified in `users` can access the `tsidp` admin user interface. |\r\n| `users` | The users that are allowed to request a security token from the STS. |\r\n| `resources` | The resources that a security token provides access to. |\r\n| `extraClaims` | Any extra claims to include in the security token. |\r\n| `includeInUserInfo` | Whether to include extra claims in `/userinfo` responses. |\r\n\r\nYou can add more grants as needed. As an example, you could allow `group:sales` to access devices that are tagged as `tag:sales`. That would be a separate grant, containing its own `tailscale.com/cap/tsidp` definition.\r\n\r\nThe `tsidp` app capability schema is in development and might change at any time.\r\n\r\nApp capability grants are per request and are updated immediately. There is no need to restart `tsidp` when you create or modify your app capability grant.\r\n\r\n## [Deploy a tsidp instance](https://tailscale.com/docs/features/tsidp\\#deploy-a-tsidp-instance)\r\n\r\nThe `tsidp` source code is at [https://github.com/tailscale/tsidp](https://github.com/tailscale/tsidp). We recommend that you use the pre-built Docker image, as shown in the following steps.\r\n\r\n1. On a device in your tailnet that is running Docker, create a folder that you want to use for `tsidp` and make it the active working directory.\r\n\r\n2. Create a `compose.yaml` file and use the following template for its content:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```yaml\r\nservices:\r\n     tsidp:\r\n       container_name: tsidp\r\n       image: ghcr.io/tailscale/tsidp:latest\r\n       volumes:\r\n      - tsidp-data:/data\r\n    environment:\r\n      - TAILSCALE_USE_WIP_CODE=1 # tsidp is experimental - needed while version <1.0.0\r\n      - TS_STATE_DIR=/data # store persistent tsnet and tsidp state\r\n      - TS_HOSTNAME=idp # Hostname on tailnet (becomes idp.your-tailnet.ts.net)\r\n      - TSIDP_ENABLE_STS=1 # Enable OAuth token exchange\r\nvolumes:\r\ntsidp-data:\r\n```\r\n\r\n3. Create the `TS_ADVERTISE_TAGS` environment variable and assign it the tag that you created earlier, in your tailnet policy file:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\nexport TS_ADVERTISE_TAGS=tag:tsidp\r\n```\r\n\r\n4. Create the `TS_AUTHKEY` environment variable and assign it the auth key that you created earlier:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\nexport TTS_AUTHKEY=<your-auth-key>\r\n```\r\n\r\n\r\n\r\nReplace `<your-auth-key>` with your auth key. Alternatively, if you created an OAuth client, replace `<your-auth-key>` with the OAuth client secret.\r\n\r\n5. Run the `tsidp` binary:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ndocker compose up -d\r\n```\r\n\r\n6. (Optional) Stream output from `stdout` and `stderr` for the `tsidp` container:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ndocker compose logs -f\r\n```\r\n\r\n\r\n\r\nWhen you want to stop streaming the logs output, press `Ctrl+C`.\r\n\r\nAs part of the initialization, the `tsidp` binary generates a TLS certificate for the `tsidp` instance.\r\n\r\n\r\n\r\nIf you're running `tsidp` for the first time, it might take a few minutes for the TLS certificate to generate. You might not be able to access the `tsidp` server until the certificate is ready.\r\n\r\n7. After `tsidp` starts, from a device in your tailnet, open `https://idp.<your-tailnet-dns-name>`, replacing `<your-tailnet-dns-name>` with your actual [tailnet DNS name](https://tailscale.com/docs/concepts/tailnet-name#tailnet-dns-name). You can find your tailnet DNS name in the [DNS](https://login.tailscale.com/admin/dns) page of the admin console. For example, `https://idp.cat-crocodile.ts.net`.\r\n\r\n\r\nNow that you have `tsidp` running on your tailnet, you can use it to manage credentials.\r\n\r\n## [Use tsidp to manage credentials](https://tailscale.com/docs/features/tsidp\\#use-tsidp-to-manage-credentials)\r\n\r\nAfter you start your `tsidp` server, use the `tsidp` admin user interface to create, update, or delete an OIDC client.\r\n\r\n### [Create an OIDC client](https://tailscale.com/docs/features/tsidp\\#create-an-oidc-client)\r\n\r\n1. Open the **Tailscale OIDC Identity Provider** URL that was provided by your `tsidp` application.\r\n2. Select **Create Client**.\r\n3. For **Client Name**, provide a name for the client.\r\n4. For **Redirect URIs**, provide the one or more redirect URIs that users will be redirected to after authentication. Enter one redirect per line.\r\n5. Select **Create Client**.\r\n6. Copy both the Client ID and the Client Secret. The Client Secret will not be visible again, after you close the Add New OIDC Client page.\r\n7. Use the Client ID and the Client Secret in your Hosted or SaaS applications as needed. Information on how to do so is application-specific, so it is not documented here.\r\n\r\n### [Update an OIDC client](https://tailscale.com/docs/features/tsidp\\#update-an-oidc-client)\r\n\r\n1. Open the **Tailscale OIDC Identity Provider** URL that was provided by your `tsidp` application.\r\n2. For the client that you want to update, select **Edit**.\r\n3. Update the client name and redirect URIs as needed.\r\n4. Select **Update Client**.\r\n\r\n### [Regenerate a client secret](https://tailscale.com/docs/features/tsidp\\#regenerate-a-client-secret)\r\n\r\n1. Open the **Tailscale OIDC Identity Provider** URL that was provided by your `tsidp` application.\r\n2. For the client whose secret you plan to update, select **Edit**.\r\n3. Select **Regenerate Secret**.\r\n4. Select **OK** to confirm you want to regenerate the secret.\r\n5. Copy the new Client Secret. The Client Secret will not be visible again, after you close the **Edit OIDC Client** page.\r\n6. Use the new Client Secret in your Hosted or SaaS applications as needed.\r\n\r\n### [Delete an OIDC client](https://tailscale.com/docs/features/tsidp\\#delete-an-oidc-client)\r\n\r\n1. Open the **Tailscale OIDC Identity Provider** URL that was provided by your `tsidp` application.\r\n2. For the client that you want to delete, select **Edit**.\r\n3. Select **Delete Client**.\r\n4. Select **OK** to confirm you want to delete the client.\r\n\r\n## [Next steps](https://tailscale.com/docs/features/tsidp\\#next-steps)\r\n\r\n- To configure `tsidp` as an identity provider for [Proxmox](https://www.proxmox.com/), refer to the [`tsidp` Proxmox example](https://github.com/tailscale/tsidp/blob/main/docs/proxmox/README.md).\r\n\r\n- `tsidp` supports endpoints required and suggested by the [MCP Authorization specification](https://modelcontextprotocol.io/specification/draft/basic/authorization), including [Dynamic Client Registration](https://www.rfc-editor.org/rfc/rfc7591.html). For more information, refer to the following examples:\r\n  - [MCP Client / Server](https://github.com/tailscale/tsidp/blob/main/examples/mcp-server/README.md)\r\n  - [MCP Client / Gateway Server](https://github.com/tailscale/tsidp/blob/main/examples/mcp-gateway/README.md)\r\n- As an alternative to using an auth key, you can use an OAuth client to pre-approve your `tsidp` instance. For more information, refer to [OAuth clients](https://tailscale.com/docs/features/oauth-clients).\r\n\r\n- For more information about `tsidp` configuration, refer to [`tsidp` configuration](https://tailscale.com/docs/reference/tsidp-configuration).\r\n\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>tsidp</h1>\n<p>Last validated: Mar 10, 2026</p>\n<p><code>tsidp</code> is a lightweight OIDC/OAuth server that leverages Tailscale's cryptographically guaranteed <a href=\"https://tailscale.com/docs/concepts/tailscale-identity\">network identity</a> to eliminate authentication prompts while also improving security posture. With Tailscale and <code>tsidp</code>, you can securely isolate and authorize any service that supports OIDC/OAuth including self-hosted apps like Grafana and even Model Context Protocol (MCP) servers for private AI deployments with minimal effort.</p>\n<p><code>tsidp</code> is available as an open source project at <a href=\"https://github.com/tailscale/tsidp\">https://github.com/tailscale/tsidp</a>.</p>\n<p><code>tsidp</code> is an experimental project. It is under active development and might experience breaking changes.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tsidp#how-it-works\">How it works</a></h2>\n<p>When you run <code>tsidp</code> on your Tailscale network (known as a tailnet), it exposes standard OIDC endpoints so OIDC-capable applications like Grafana and Proxmox can use it as an identity provider. The application performs OIDC discovery against the <code>tsidp</code> endpoints. When a user needs to access the application, the application presents a <strong>Log in using Tailscale</strong> option, and then redirects the login request to <code>tsidp</code>. <code>tsidp</code> uses the LocalAPI <code>whois</code> functionality to determine the caller's identity. <code>tsidp</code> and the application exchange information with <code>tsidp</code> ultimately sending an ID token and access token to the application. The application can verify the ID token digital signature. Optionally, the application can retrieve <code>userinfo</code> contents to retrieve information such as the user name, email, or picture, if available.</p>\n<p><code>tsidp</code> uses <a href=\"https://tailscale.com/docs/features/tsnet\"><code>tsnet</code></a>, which lets applications programmatically make direct connections to devices in your tailnet. Among other functionality, <code>tsnet</code> provides <code>tsidp</code> with access to <a href=\"https://github.com/tailscale/tailscale/blob/main/ipn/localapi/localapi.go\">LocalAPI</a>, which lets applications programmatically retrieve information about the Tailscale client, including the <code>whois</code> identity.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tsidp#prerequisites\">Prerequisites</a></h2>\n<p>To set up <code>tsidp</code>, you need the following prerequisites:</p>\n<ul>\n<li>\n<p>A tailnet. If you do not have a tailnet, <a href=\"https://login.tailscale.com/start\">sign up</a>.</p>\n</li>\n<li>\n<p>A Tailscale account with <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> permissions, so you can perform the following tasks on the tailnet where you want to set up <code>tsidp</code>:</p>\n<ul>\n<li>Enable MagicDNS.</li>\n<li>Enable HTTPS.</li>\n<li>Edit the tailnet policy file.</li>\n<li>(Optional) Create an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">authentication key</a> (auth key) or an <a href=\"https://tailscale.com/docs/features/oauth-clients\">OAuth client</a>. The purpose is to pre-approve the <code>tsidp</code> instance when it joins your tailnet, without requiring an interactive login.</li>\n</ul>\n</li>\n<li>\n<p>A device in your tailnet upon which you will run the <code>tsidp</code> binary.</p>\n</li>\n<li>\n<p>(Recommended) Docker installed on your device. This topic assumes you have Docker installed.</p>\n</li>\n<li>\n<p>Ability to create a configuration file and run CLI commands so you can run the <code>tsidp</code> binary.</p>\n</li>\n</ul>\n<p>To use <code>tsidp</code> with an application, the application needs to support OIDC/OAuth and needs to know which endpoints to use for a <code>tsidp</code> server. Configuring an application to know which endpoints to use is application-specific, so it is not documented here.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tsidp#configure-your-tailnet\">Configure your tailnet</a></h2>\n<p>You need to perform the following tasks to configure your tailnet for <code>tsidp</code>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tsidp#enable-magicdns\">Enable MagicDNS</a></h3>\n<p>MagicDNS automatically registers DNS names for devices in your tailnet. Tailnets created on or after October 20, 2022 have MagicDNS enabled by default. For information about enabling MagicDNS, refer to <a href=\"https://tailscale.com/docs/features/magicdns#enabling-magicdns\">Enabling MagicDNS</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tsidp#enable-https\">Enable HTTPS</a></h3>\n<p>Enabling HTTPS lets you provision Transport Layer Security (TLS) certificates for devices in your tailnet. The <code>tsidp</code> functionality requires your <code>tsidp</code> server to have a TLS certificate. For information about enabling HTTPS, refer to <a href=\"https://tailscale.com/docs/how-to/set-up-https-certificates\">Configure HTTPS</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tsidp#optional-create-an-auth-key-or-other-credential\">(Optional) Create an auth key or other credential</a></h3>\n<p>If you want to pre-approve adding the <code>tsidp</code> instance to your tailnet, you need an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">authentication key</a> (auth key) or an <a href=\"https://tailscale.com/docs/features/oauth-clients\">OAuth client</a>. Without one of these credentials, you need to interactively log in the <code>tsidp</code> instance, before it can join your tailnet.</p>\n<p>For purposes of this topic, the credential is an auth key.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console.</li>\n<li>Select <strong>Generate auth key</strong>.</li>\n<li>For <strong>Description</strong>, enter <code>tsidp</code> or another string that you want. This value is used only for organizing your auth keys.</li>\n<li>(Optional) Configure other settings for the auth key. For information about auth key settings, refer to <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">Auth keys</a>.</li>\n<li>Select <strong>Generate key</strong>.</li>\n<li>Copy the auth key value and keep it secure. It won't be shown in full again. You need the auth key value later, when you set the <code>TS_AUTHKEY</code> environment variable.</li>\n<li>Select <strong>Done</strong>.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/features/tsidp#set-up-an-application-capability-grant\">Set up an application capability grant</a></h3>\n<p>Access to the <code>tsidp</code> admin user interface and dynamic client registration (DCR) endpoints are denied by default.</p>\n<p>To allow access, you need to set up a <code>tailscale.com/cap/tsidp</code> <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities\">application capability</a> (app capability) grant. For example, to let your tailnet admins access devices with the <a href=\"https://tailscale.com/docs/features/tags\">tag</a><code>tag:server</code>, <a href=\"https://tailscale.com/docs/features/tags#define-a-tag\">create the tag</a> and <a href=\"https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies\">edit your tailnet policy file</a> to add a grant like the following:</p>\n<pre><code class=\"language-json\">\"grants\": [\\\r\n  {\\\r\n    // Allow admins to access any device with the tag \"tag:server\"\\\r\n    \"src\": [\"autogroup:admin\"],\\\r\n    \"dst\": [\"tag:server\"],\\\r\n\\\r\n    \"app\": {\\\r\n      \"tailscale.com/cap/tsidp\": [\\\r\n        {\\\r\n          // allow access to UI\\\r\n          \"allow_admin_ui\": true,\\\r\n\\\r\n          // Security Token Service (STS) controls\\\r\n          \"users\":     [\"*\"],\\\r\n          \"resources\": [\"*\"],\\\r\n\\\r\n          // extraClaims are included in the id_token\\\r\n          // recommend: keep this small and simple\\\r\n          \"extraClaims\": {\\\r\n            \"bools\": true,\\\r\n            \"strings\": \"Mon Jan 2 15:04:05 MST 2006\",\\\r\n            \"numbers\": 180,\\\r\n            \"array1\": [1,2,3],\\\r\n            \"array2\": [\"one\", \"two\", \"three\"]\\\r\n          },\\\r\n\\\r\n          // include extraClaims data in /userinfo response\\\r\n          \"includeInUserInfo\": true,\\\r\n        },\\\r\n      ],\\\r\n    },\\\r\n  },\\\r\n],\n</code></pre>\n<p>The following table describes the <code>app</code> fields when you define a <code>tailscale.com/cap/tsidp</code> app capability.</p>\n<p>| Field | Description |\r\n| --- | --- |\r\n| <code>allow_admin_ui</code> | Whether the users specified in <code>users</code> can access the <code>tsidp</code> admin user interface. |\r\n| <code>users</code> | The users that are allowed to request a security token from the STS. |\r\n| <code>resources</code> | The resources that a security token provides access to. |\r\n| <code>extraClaims</code> | Any extra claims to include in the security token. |\r\n| <code>includeInUserInfo</code> | Whether to include extra claims in <code>/userinfo</code> responses. |</p>\n<p>You can add more grants as needed. As an example, you could allow <code>group:sales</code> to access devices that are tagged as <code>tag:sales</code>. That would be a separate grant, containing its own <code>tailscale.com/cap/tsidp</code> definition.</p>\n<p>The <code>tsidp</code> app capability schema is in development and might change at any time.</p>\n<p>App capability grants are per request and are updated immediately. There is no need to restart <code>tsidp</code> when you create or modify your app capability grant.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tsidp#deploy-a-tsidp-instance\">Deploy a tsidp instance</a></h2>\n<p>The <code>tsidp</code> source code is at <a href=\"https://github.com/tailscale/tsidp\">https://github.com/tailscale/tsidp</a>. We recommend that you use the pre-built Docker image, as shown in the following steps.</p>\n<ol>\n<li>\n<p>On a device in your tailnet that is running Docker, create a folder that you want to use for <code>tsidp</code> and make it the active working directory.</p>\n</li>\n<li>\n<p>Create a <code>compose.yaml</code> file and use the following template for its content:</p>\n</li>\n</ol>\n<pre><code class=\"language-yaml\">services:\r\n     tsidp:\r\n       container_name: tsidp\r\n       image: ghcr.io/tailscale/tsidp:latest\r\n       volumes:\r\n      - tsidp-data:/data\r\n    environment:\r\n      - TAILSCALE_USE_WIP_CODE=1 # tsidp is experimental - needed while version &#x3C;1.0.0\r\n      - TS_STATE_DIR=/data # store persistent tsnet and tsidp state\r\n      - TS_HOSTNAME=idp # Hostname on tailnet (becomes idp.your-tailnet.ts.net)\r\n      - TSIDP_ENABLE_STS=1 # Enable OAuth token exchange\r\nvolumes:\r\ntsidp-data:\n</code></pre>\n<ol start=\"3\">\n<li>Create the <code>TS_ADVERTISE_TAGS</code> environment variable and assign it the tag that you created earlier, in your tailnet policy file:</li>\n</ol>\n<pre><code class=\"language-shell\">export TS_ADVERTISE_TAGS=tag:tsidp\n</code></pre>\n<ol start=\"4\">\n<li>Create the <code>TS_AUTHKEY</code> environment variable and assign it the auth key that you created earlier:</li>\n</ol>\n<pre><code class=\"language-shell\">export TTS_AUTHKEY=&#x3C;your-auth-key>\n</code></pre>\n<p>Replace <code>&#x3C;your-auth-key></code> with your auth key. Alternatively, if you created an OAuth client, replace <code>&#x3C;your-auth-key></code> with the OAuth client secret.</p>\n<ol start=\"5\">\n<li>Run the <code>tsidp</code> binary:</li>\n</ol>\n<pre><code class=\"language-shell\">docker compose up -d\n</code></pre>\n<ol start=\"6\">\n<li>(Optional) Stream output from <code>stdout</code> and <code>stderr</code> for the <code>tsidp</code> container:</li>\n</ol>\n<pre><code class=\"language-shell\">docker compose logs -f\n</code></pre>\n<p>When you want to stop streaming the logs output, press <code>Ctrl+C</code>.</p>\n<p>As part of the initialization, the <code>tsidp</code> binary generates a TLS certificate for the <code>tsidp</code> instance.</p>\n<p>If you're running <code>tsidp</code> for the first time, it might take a few minutes for the TLS certificate to generate. You might not be able to access the <code>tsidp</code> server until the certificate is ready.</p>\n<ol start=\"7\">\n<li>After <code>tsidp</code> starts, from a device in your tailnet, open <code>https://idp.&#x3C;your-tailnet-dns-name></code>, replacing <code>&#x3C;your-tailnet-dns-name></code> with your actual <a href=\"https://tailscale.com/docs/concepts/tailnet-name#tailnet-dns-name\">tailnet DNS name</a>. You can find your tailnet DNS name in the <a href=\"https://login.tailscale.com/admin/dns\">DNS</a> page of the admin console. For example, <code>https://idp.cat-crocodile.ts.net</code>.</li>\n</ol>\n<p>Now that you have <code>tsidp</code> running on your tailnet, you can use it to manage credentials.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tsidp#use-tsidp-to-manage-credentials\">Use tsidp to manage credentials</a></h2>\n<p>After you start your <code>tsidp</code> server, use the <code>tsidp</code> admin user interface to create, update, or delete an OIDC client.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tsidp#create-an-oidc-client\">Create an OIDC client</a></h3>\n<ol>\n<li>Open the <strong>Tailscale OIDC Identity Provider</strong> URL that was provided by your <code>tsidp</code> application.</li>\n<li>Select <strong>Create Client</strong>.</li>\n<li>For <strong>Client Name</strong>, provide a name for the client.</li>\n<li>For <strong>Redirect URIs</strong>, provide the one or more redirect URIs that users will be redirected to after authentication. Enter one redirect per line.</li>\n<li>Select <strong>Create Client</strong>.</li>\n<li>Copy both the Client ID and the Client Secret. The Client Secret will not be visible again, after you close the Add New OIDC Client page.</li>\n<li>Use the Client ID and the Client Secret in your Hosted or SaaS applications as needed. Information on how to do so is application-specific, so it is not documented here.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/features/tsidp#update-an-oidc-client\">Update an OIDC client</a></h3>\n<ol>\n<li>Open the <strong>Tailscale OIDC Identity Provider</strong> URL that was provided by your <code>tsidp</code> application.</li>\n<li>For the client that you want to update, select <strong>Edit</strong>.</li>\n<li>Update the client name and redirect URIs as needed.</li>\n<li>Select <strong>Update Client</strong>.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/features/tsidp#regenerate-a-client-secret\">Regenerate a client secret</a></h3>\n<ol>\n<li>Open the <strong>Tailscale OIDC Identity Provider</strong> URL that was provided by your <code>tsidp</code> application.</li>\n<li>For the client whose secret you plan to update, select <strong>Edit</strong>.</li>\n<li>Select <strong>Regenerate Secret</strong>.</li>\n<li>Select <strong>OK</strong> to confirm you want to regenerate the secret.</li>\n<li>Copy the new Client Secret. The Client Secret will not be visible again, after you close the <strong>Edit OIDC Client</strong> page.</li>\n<li>Use the new Client Secret in your Hosted or SaaS applications as needed.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/features/tsidp#delete-an-oidc-client\">Delete an OIDC client</a></h3>\n<ol>\n<li>Open the <strong>Tailscale OIDC Identity Provider</strong> URL that was provided by your <code>tsidp</code> application.</li>\n<li>For the client that you want to delete, select <strong>Edit</strong>.</li>\n<li>Select <strong>Delete Client</strong>.</li>\n<li>Select <strong>OK</strong> to confirm you want to delete the client.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/features/tsidp#next-steps\">Next steps</a></h2>\n<ul>\n<li>\n<p>To configure <code>tsidp</code> as an identity provider for <a href=\"https://www.proxmox.com/\">Proxmox</a>, refer to the <a href=\"https://github.com/tailscale/tsidp/blob/main/docs/proxmox/README.md\"><code>tsidp</code> Proxmox example</a>.</p>\n</li>\n<li>\n<p><code>tsidp</code> supports endpoints required and suggested by the <a href=\"https://modelcontextprotocol.io/specification/draft/basic/authorization\">MCP Authorization specification</a>, including <a href=\"https://www.rfc-editor.org/rfc/rfc7591.html\">Dynamic Client Registration</a>. For more information, refer to the following examples:</p>\n<ul>\n<li><a href=\"https://github.com/tailscale/tsidp/blob/main/examples/mcp-server/README.md\">MCP Client / Server</a></li>\n<li><a href=\"https://github.com/tailscale/tsidp/blob/main/examples/mcp-gateway/README.md\">MCP Client / Gateway Server</a></li>\n</ul>\n</li>\n<li>\n<p>As an alternative to using an auth key, you can use an OAuth client to pre-approve your <code>tsidp</code> instance. For more information, refer to <a href=\"https://tailscale.com/docs/features/oauth-clients\">OAuth clients</a>.</p>\n</li>\n<li>\n<p>For more information about <code>tsidp</code> configuration, refer to <a href=\"https://tailscale.com/docs/reference/tsidp-configuration\"><code>tsidp</code> configuration</a>.</p>\n</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}