If you're looking to set up OpenID Connect (OIDC) authentication for your Synology NAS using Tailscale’s tsidp identity provider, you're in the right place. This guide walks you through everything from installing the IDP on a Linux host, configuring it with Tailscale, and enabling SSO on your Synology NAS.

Prerequisites

Before you start, make sure you have the following:

• A Linux host where you’ll run your tsidp server:
  • Go 1.24.0 or later installed
  • SSH access
• A Tailscale account:
  • Already configured and active
  • Admin access to edit the ACL file
• Your Synology NAS joined to your tailnet → Follow this guide to do so

Installing tsidp

Installing the tsidp binary is a breeze if you already have Go installed:

1. Install tsidp binary

   go install tailscale.com/cmd/tsidp@latest

2. Setup systemd service unit

   Now set up a systemd service for tsidp on your Linux host:

   /etc/systemd/system/tsidp.service

   [Unit]
   Description=Tailscale (OIDC) IDP
   
   [Service]
   TimeoutStartSec=0
   User=root
   EnvironmentFile=/etc/default/tsidp
   ExecStart=/root/go/bin/tsidp
   Restart=on-failure
   TimeoutStopSec=20s
   SendSIGKILL=no
   
   [Install]
   WantedBy=multi-user.target

   /etc/default/tsidp

   TAILSCALE_USE_WIP_CODE=1

3. Reload systemd and start tsidp service

   Now reload systemd and start the service:

   systemctl daemon-reload
   systemctl enable tsidp --now
   systemctl status tsidp

4. Authenticate

   You should see logs indicating the service is running but not yet authenticated:

   tsidp[39714]: LocalBackend state is NeedsLogin; running StartLoginInteractive...

   To authenticate, run:

   journalctl -u tsidp

   Look for a URL like: https://login.tailscale.com/a/<REDACTED>

   Open this in your browser and click "Connect".

   Tailscale Sign In

   

   Tailscale Login

   Once authenticated, your IDP server will appear in your tailnet devices:

   Tailscale Admin Console

   

   Tailnet Status

Configure Tailscale ACL

You’ll need to properly tag your devices and update your Tailscale ACLs.

1. Ensure the tsidp devices is appropriately tagged

   Tailscale Admin Console

   

   Device Tags

2. Ensure the Synology NAS devices is appropriately tagged

   Tailscale Admin Console

   

   NAS Tag

Now, we need to set up ACL rules that allow

• NAS → tsidp communication
• User → tsidp communication
• User → NAS communication

Since tsidp and the NAS are both tagged with tag:core-infra, we can use the following ACL entry to allow NAS to tsidp communication:

{
  "action": "accept",
  "src": ["tag:core-infra"],
  "dst": ["tag:core-infra:*"]
}

And to allow the user to communicate to both tailscale devices, we can use the tag:core-service and the new grants-syntax:

Simple grant

{
  "src": ["autogroup:member", "autogroup:tagged"],
  "dst": ["tag:core-services"],
  "ip": ["*"]
}

Add custom claims via grants

If you wish to customize the claims returned by tsidp you can now do so, thanks to #15127.

{
  "src": ["group:admins"],
  "dst": ["tag:core-services"],
  "ip": ["*"],
  "app": {
    "tailscale.com/cap/tsidp": [
      {
        "includeInUserInfo": true,
        "extraClaims": {
          "groups": ["admin"],
        },
      }
    ]
  }
},
{
  "src": ["autogroup:member"],
  "dst": ["tag:core-services"],
  "ip": ["*"],
  "app": {
    "tailscale.com/cap/tsidp": [
      {
        "includeInUserInfo": true,
        "extraClaims": {
          "groups": ["reader"],
        },
      }
    ]
  }
}

Example ACL (tailscale.acl.hujson)

{
  "groups": {
    "group:admins": ["cedi@github"]
  },
  "hosts": {
    "nas": "100.71.201.45",
    "nuc": "100.122.149.90",
    "idp": "100.115.22.54"
  },
  "tagOwners": {
    "tag:core-infra": ["group:admins"],
    "tag:core-services": ["group:admins"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["tag:core-services"],
      "dst": ["tag:core-services:*"]
    },
    {
      "action": "accept",
      "src": ["tag:core-infra"],
      "dst": ["tag:core-infra:*"]
    }
  ],
  "grants": [
    {
      "src": ["autogroup:member", "autogroup:tagged"],
      "dst": ["tag:core-services"],
      "ip": ["*"]
    }
  ],
  "tests": [
    {
      "src": "cedi@github",
      "proto": "tcp",
      "accept": ["idp:443"]
    }
  ]
}

Verifying Connectivity

You can verify that the OIDC server is up:

curl https://idp.<tailnet-name>.ts.net/.well-known/openid-configuration

You should get a full OIDC metadata document in response.

Configure Synology NAS as OIDC Client

Open your Synology Control Panel → Domain/LDAP → SSO Client tab and enable OpenID Connect SSO service.

Synology DSM / SSO Client configuration

Enable SSO

Click Edit to configure the SSO settings:

Synology DSM / SSO Client configuration

Edit Settings

Use these values

• Profile: OIDC
• Account Type: Domain/LDAP/local
• Name: Tailscale IDP
• Well-known URL: https://idp.<tailnet-name>.ts.net/.well-known/openid-configuration
• App ID: foo (arbitrary)
• Secret: bar (arbitrary)
• Redirect URI: https://nas.<tailnet-name>.ts.net:5001 (must be HTTPS!)
• Scope: openid
• Username Claim: username

Matching Users

The Synology OIDC client matches the username claim from the IDP against local accounts.

In this example, the Tailscale login is cedi@github, but tsidp splits on @, so the resulting username is just cedi.

Make sure this matches the user on your NAS:

Synology DSM / User Configuration

Synology User Match

Testing the Login

Now, navigate to your NAS via browser: https://nas.<tailnet-name>.ts.net:5001

You should see an additional SSO Authentication tab on the login screen:

Synology DSM

Login Screen

Switch to SSO Authentication and hit the arrow:

Synology DSM

SSO Login

Allow your browser’s pop-up and complete the login:

Synology DSM

Authenticated

Boom! You’re now logged in using Tailscale’s OIDC authentication!