tailscale/cmd/tsidp/README.md

# `tsidp` - Tailscale OpenID Connect (OIDC) Identity Provider

[![status: experimental](https://img.shields.io/badge/status-experimental-blue)](https://tailscale.com/kb/1167/release-stages/#experimental)

`tsidp` is an OIDC Identity Provider (IdP) server that integrates with your Tailscale network. It allows you to use Tailscale identities for authentication in applications that support OpenID Connect, enabling single sign-on (SSO) capabilities within your tailnet.

## Prerequisites

- A Tailscale network (tailnet) with magicDNS and HTTPS enabled
- A Tailscale authentication key from your tailnet
- Docker installed on your system

## Installation using Docker

### Building from Source

```bash
# Clone the Tailscale repository
git clone https://github.com/tailscale/tailscale.git
cd tailscale

# Build and publish to your own registry
make publishdevtsidp REPO=ghcr.io/yourusername/tsidp TAGS=v0.0.1 PUSH=true
```

### Running the Container

Replace `YOUR_TAILSCALE_AUTHKEY` with your Tailscale authentication key:

```bash
docker run -d \
  --name tsidp \
  -p 443:443 \
  -e TS_AUTHKEY=YOUR_TAILSCALE_AUTHKEY \
  -e TAILSCALE_USE_WIP_CODE=1 \
  -v tsidp-data:/var/lib/tsidp \
  ghcr.io/yourusername/tsidp:v0.0.1 \
  tsidp --hostname=idp --dir=/var/lib/tsidp
```

### Verify Installation
```bash
docker logs tsidp
```

Visit `https://idp.tailnet.ts.net` to confirm the service is running.

## Usage Example: Proxmox Integration

Here's how to configure Proxmox to use `tsidp` for authentication:

1. In Proxmox, navigate to Datacenter > Realms > Add OpenID Connect Server

2. Configure the following settings:
   - Issuer URL: `https://idp.velociraptor.ts.net`
   - Realm: `tailscale` (or your preferred name)
   - Client ID: `unused`
   - Client Key: `unused`
   - Default: `true`
   - Autocreate users: `true`
   - Username claim: `email`

3. Set up user permissions:
   - Go to Datacenter > Permissions > Groups
   - Create a new group (e.g., "tsadmins")
   - Click Permissions in the sidebar
   - Add Group Permission
   - Set Path to `/` for full admin access or scope as needed
   - Set the group and role
   - Add Tailscale-authenticated users to the group

## Configuration Options

The `tsidp` server supports several command-line flags:

- `--verbose`: Enable verbose logging
- `--port`: Port to listen on (default: 443)
- `--local-port`: Allow requests from localhost
- `--use-local-tailscaled`: Use local tailscaled instead of tsnet
- `--hostname`: tsnet hostname
- `--dir`: tsnet state directory

## Environment Variables

- `TS_AUTHKEY`: Your Tailscale authentication key (required)
- `TS_HOSTNAME`: Hostname for the `tsidp` server (default: "idp", Docker only)
- `TS_STATE_DIR`: State directory (default: "/var/lib/tsidp", Docker only)
- `TAILSCALE_USE_WIP_CODE`: Enable work-in-progress code (default: "1")

## Support

This is an [experimental](https://tailscale.com/kb/1167/release-stages#experimental), work in progress feature. For issues or questions, file issues on the [GitHub repository](https://github.com/tailscale/tailscale)

## License

BSD-3-Clause License. See [LICENSE](../../LICENSE) for details.
cmd/tsidp: add README and Dockerfile (#15205) 2025-03-05 10:55:37 -06:00			# `tsidp` - Tailscale OpenID Connect (OIDC) Identity Provider

			`[![status: experimental](https://img.shields.io/badge/status-experimental-blue)](https://tailscale.com/kb/1167/release-stages/#experimental)`

			`tsidp` is an OIDC Identity Provider (IdP) server that integrates with your Tailscale network. It allows you to use Tailscale identities for authentication in applications that support OpenID Connect, enabling single sign-on (SSO) capabilities within your tailnet.

			`## Prerequisites`

			`- A Tailscale network (tailnet) with magicDNS and HTTPS enabled`
			`- A Tailscale authentication key from your tailnet`
			`- Docker installed on your system`

			`## Installation using Docker`

cmd/tsidp: add Docker image building support (#16078) - Add tsidp target to build_docker.sh for standard Tailscale image builds - Add publishdevtsidp Makefile target for development image publishing - Remove Dockerfile, using standard build process - Include tsidp in depaware dependency tracking - Update README with comprehensive Docker usage examples This enables tsidp to be built and published like other Tailscale components (tailscale/tailscale, tailscale/k8s-operator, tailscale/k8s-nameserver). Fixes #16077 Signed-off-by: Raj Singh <raj@tailscale.com> 2025-06-03 12:52:00 -04:00			`### Building from Source`

			```bash
			`# Clone the Tailscale repository`
			`git clone https://github.com/tailscale/tailscale.git`
			`cd tailscale`

			`# Build and publish to your own registry`
			`make publishdevtsidp REPO=ghcr.io/yourusername/tsidp TAGS=v0.0.1 PUSH=true`
			```

			`### Running the Container`

			Replace `YOUR_TAILSCALE_AUTHKEY` with your Tailscale authentication key:

			```bash
			`docker run -d \`
			`--name tsidp \`
			`-p 443:443 \`
			`-e TS_AUTHKEY=YOUR_TAILSCALE_AUTHKEY \`
			`-e TAILSCALE_USE_WIP_CODE=1 \`
			`-v tsidp-data:/var/lib/tsidp \`
			`ghcr.io/yourusername/tsidp:v0.0.1 \`
			`tsidp --hostname=idp --dir=/var/lib/tsidp`
			```

			`### Verify Installation`
			```bash
			`docker logs tsidp`
			```

			Visit `https://idp.tailnet.ts.net` to confirm the service is running.
cmd/tsidp: add README and Dockerfile (#15205) 2025-03-05 10:55:37 -06:00
			`## Usage Example: Proxmox Integration`

			Here's how to configure Proxmox to use `tsidp` for authentication:

			`1. In Proxmox, navigate to Datacenter > Realms > Add OpenID Connect Server`

			`2. Configure the following settings:`
			- Issuer URL: `https://idp.velociraptor.ts.net`
			- Realm: `tailscale` (or your preferred name)
			- Client ID: `unused`
			- Client Key: `unused`
			- Default: `true`
			- Autocreate users: `true`
			- Username claim: `email`

			`3. Set up user permissions:`
			`- Go to Datacenter > Permissions > Groups`
			`- Create a new group (e.g., "tsadmins")`
			`- Click Permissions in the sidebar`
			`- Add Group Permission`
			- Set Path to `/` for full admin access or scope as needed
			`- Set the group and role`
			`- Add Tailscale-authenticated users to the group`

			`## Configuration Options`

			The `tsidp` server supports several command-line flags:

			- `--verbose`: Enable verbose logging
			- `--port`: Port to listen on (default: 443)
			- `--local-port`: Allow requests from localhost
			- `--use-local-tailscaled`: Use local tailscaled instead of tsnet
Move env var flag passing to Dockerfile Updates #15465 Signed-off-by: Kot <kot@kot.pink> 2025-04-01 21:53:10 -05:00			- `--hostname`: tsnet hostname
cmd/tsidp: add README and Dockerfile (#15205) 2025-03-05 10:55:37 -06:00			- `--dir`: tsnet state directory

			`## Environment Variables`

			- `TS_AUTHKEY`: Your Tailscale authentication key (required)
Change README to reflect configuration Updates #15465 Signed-off-by: Kot <kot@kot.pink> 2025-04-01 21:56:08 -05:00			- `TS_HOSTNAME`: Hostname for the `tsidp` server (default: "idp", Docker only)
			- `TS_STATE_DIR`: State directory (default: "/var/lib/tsidp", Docker only)
cmd/tsidp: add README and Dockerfile (#15205) 2025-03-05 10:55:37 -06:00			- `TAILSCALE_USE_WIP_CODE`: Enable work-in-progress code (default: "1")

			`## Support`

			`This is an [experimental](https://tailscale.com/kb/1167/release-stages#experimental), work in progress feature. For issues or questions, file issues on the [GitHub repository](https://github.com/tailscale/tailscale)`

			`## License`

cmd/tsidp: use advertised env vars for config Fixes #14491 Signed-off-by: Kot <kot@kot.pink> 2025-03-28 14:17:13 -07:00			`BSD-3-Clause License. See [LICENSE](../../LICENSE) for details.`