diff --git a/cmd/tsidp/Dockerfile b/cmd/tsidp/Dockerfile
index c3ae480b7..c4f352ed0 100644
--- a/cmd/tsidp/Dockerfile
+++ b/cmd/tsidp/Dockerfile
@@ -38,4 +38,4 @@ ENV TAILSCALE_USE_WIP_CODE=1 \
 EXPOSE 443
 
 # Run the application
-ENTRYPOINT ["/app/tsidp"]
+ENTRYPOINT ["/bin/sh", "-c", "/app/tsidp --hostname=${TS_HOSTNAME} --dir=${TS_STATE_DIR}"]
diff --git a/cmd/tsidp/README.md b/cmd/tsidp/README.md
index 143e448ce..a5e789cc4 100644
--- a/cmd/tsidp/README.md
+++ b/cmd/tsidp/README.md
@@ -82,13 +82,14 @@ The `tsidp` server supports several command-line flags:
 - `--port`: Port to listen on (default: 443)
 - `--local-port`: Allow requests from localhost
 - `--use-local-tailscaled`: Use local tailscaled instead of tsnet
+- `--hostname`: tsnet hostname
 - `--dir`: tsnet state directory
 
 ## Environment Variables
 
 - `TS_AUTHKEY`: Your Tailscale authentication key (required)
 - `TS_HOSTNAME`: Hostname for the `tsidp` server (default: "idp")
-- `TS_STATE_DIR`: State directory (default: "/var/lib/tsidp" in Docker, otherwise tsnet default)
+- `TS_STATE_DIR`: State directory (default: "/var/lib/tsidp")
 - `TAILSCALE_USE_WIP_CODE`: Enable work-in-progress code (default: "1")
 
 ## Support
diff --git a/cmd/tsidp/tsidp.go b/cmd/tsidp/tsidp.go
index 17ef3729d..54bb82d12 100644
--- a/cmd/tsidp/tsidp.go
+++ b/cmd/tsidp/tsidp.go
@@ -65,17 +65,10 @@ var (
 	flagLocalPort          = flag.Int("local-port", -1, "allow requests from localhost")
 	flagUseLocalTailscaled = flag.Bool("use-local-tailscaled", false, "use local tailscaled instead of tsnet")
 	flagFunnel             = flag.Bool("funnel", false, "use Tailscale Funnel to make tsidp available on the public internet")
-	flagHostname           = flag.String("hostname", envOr("TS_HOSTNAME", "idp"), "tsnet hostname to use instead of idp")
-	flagDir                = flag.String("dir", envOr("TS_STATE_DIR", ""), "tsnet state directory; a default one will be created if not provided")
+	flagHostname           = flag.String("hostname", "idp", "tsnet hostname to use instead of idp")
+	flagDir                = flag.String("dir", "", "tsnet state directory; a default one will be created if not provided")
 )
 
-func envOr(key, defaultVal string) string {
-	if result, ok := os.LookupEnv(key); ok {
-		return result
-	}
-	return defaultVal
-}
-
 func main() {
 	flag.Parse()
 	ctx := context.Background()