habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/integrations: jellyfin: add OIDC configuration (#9538)

Browse Source 
* Jellyfin OIDC Configuration Added

* Formating

* Added code review suggestions

* Forgot some review changes

* More Changes

* Updated documentation

* updated config order
This commit is contained in:
Connor Beard
2024-06-18 14:10:55 -05:00
committed by GitHub
parent 2bd7b80579
commit 7f17c5f212
1 changed files with 99 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
website/integrations/services/jellyfin/index.md
View File

@ -15,7 +15,7 @@ Jellyfin does not have any native external authentication support as of the writ
::: :::
:::note :::note
Currently, there are two plugins for Jellyfin that provide external authentication, an OIDC plugin and an LDAP plugin. This guide focuses on the use of the LDAP plugin. Currently, there are two plugins for Jellyfin that provide external authentication, an OIDC plugin and an LDAP plugin.
::: :::
:::caution :::caution
@ -26,24 +26,30 @@ An LDAP outpost must be deployed to use the Jellyfin LDAP plugin
The following placeholders will be used: The following placeholders will be used:
- `jellyfin.company.com` is the FQDN of the Jellyfin install. - `jellyfin.company` is the FQDN of the Jellyfin install.
- `authentik.company.com` is the FQDN of the authentik install. - `authentik.company` is the FQDN of the authentik install.
- `ldap.company.com` the FQDN of the LDAP outpost. - `ldap.company` the FQDN of the LDAP outpost.
- `dc=company,dc=com` the Base DN of the LDAP outpost. - `dc=company,dc=com` the Base DN of the LDAP outpost.
- `ldap_bind_user` the username of the desired LDAP Bind User - `ldap_bind_user` the username of the desired LDAP Bind User
## Jellyfin configuration ## LDAP Configuration
### authentik Configuration
No additional authentik configuration needs to be configured. Follow the LDAP outpost instructions to create an LDAP outpost and configure access via the outpost
### Jellyfin configuration
1. If you don't have one already, create an LDAP bind user before starting these steps. 1. If you don't have one already, create an LDAP bind user before starting these steps.
- Ideally, this user doesn't have any permissions other than the ability to view other users. However, some functions do require an account with permissions. - Ideally, this user doesn't have any permissions other than the ability to view other users. However, some functions do require an account with permissions.
- This user must be part of the group that is specified in the "Search group" in the LDAP outpost. - This user must be part of the group that is specified in the "Search group" in the LDAP outpost.
2. Navigate to your Jellyfin installation and log in with the admin account or currently configured local admin. 2. Navigate to your Jellyfin installation and log in with the admin account or currently configured local admin.
3. Open the administrator dashboard and go to the "Plugins" section. 3. Open the **Administrator dashboard** and go to the **Plugins** section.
4. Click "Catalog" at the top of the page, and locate the "LDAP Authentication Plugin" 4. Click **Catalog** at the top of the page, and locate the "LDAP Authentication Plugin"
5. Install the plugin. You may need to restart Jellyfin to finish installation. 5. Install the plugin. You may need to restart Jellyfin to finish installation.
6. Once finished, navigate back to the plugins section of the admin dashboard, click the 3 dots on the "LDAP-Auth Plugin" card, and click settings. 6. Once finished, navigate back to the plugins section of the admin dashboard, click the 3 dots on the "LDAP-Auth Plugin" card, and click settings.
7. Configure the LDAP Settings as follows: 7. Configure the LDAP Settings as follows:
- `LDAP Server`: `ldap.company.com` - `LDAP Server`: `ldap.company`
- `LDAP Port`: 636 - `LDAP Port`: 636
- `Secure LDAP`: **Checked** - `Secure LDAP`: **Checked**
- `StartTLS`: Unchecked - `StartTLS`: Unchecked
@ -58,7 +64,7 @@ The following placeholders will be used:
- `LDAP Base DN for Searches`: the base DN for LDAP queries. To query all users, set this to `dc=company,dc=com`. - `LDAP Base DN for Searches`: the base DN for LDAP queries. To query all users, set this to `dc=company,dc=com`.
- You can specify an OU if you divide your users up into different OUs and only want to query a specific OU. - You can specify an OU if you divide your users up into different OUs and only want to query a specific OU.
At this point, click `Save and Test LDAP Server Settings`. If the settings are correct, you will see: At this point, click **Save and Test LDAP Server Settings**. If the settings are correct, you will see:
`Connect(Success); Bind(Success); Base Search (Found XY Entities)` `Connect(Success); Bind(Success); Base Search (Found XY Entities)`
- `LDAP User Filter`: This is used to a user filter on what users are allowed to login. **This must be set** - `LDAP User Filter`: This is used to a user filter on what users are allowed to login. **This must be set**
@ -70,13 +76,13 @@ At this point, click `Save and Test LDAP Server Settings`. If the settings are c
- `LDAP Admin Filter`: Similar to the user filter, but every matched user is set as admin. - `LDAP Admin Filter`: Similar to the user filter, but every matched user is set as admin.
- This can be left blank. Admins can be set manually outside this filter - This can be left blank. Admins can be set manually outside this filter
At this point, click `Save and Test LDAP Filter Settings`. If the settings are correct, you will see: At this point, click **Save and Test LDAP Filter Settings**. If the settings are correct, you will see:
`Found X user(s), Y admin(s)` `Found X user(s), Y admin(s)`
- `LDAP Attributes`: `uid, cn, mail, displayName` - `LDAP Attributes`: `uid, cn, mail, displayName`
- `Enable case Insensitive Username`: **Checked** - `Enable case Insensitive Username`: **Checked**
At this point, enter a username and click "Save Search Attribute Settings and Query User". If the settings are correct, you will see: At this point, enter a username and click **Save Search Attribute Settings and Query User**. If the settings are correct, you will see:
`Found User: cn=test,ou=users,dc=company,dc=com` `Found User: cn=test,ou=users,dc=company,dc=com`
- `Enabled User Creation`: **Checked** - `Enabled User Creation`: **Checked**
@ -87,6 +93,86 @@ At this point, enter a username and click "Save Search Attribute Settings and Qu
1. Click "Save" 1. Click "Save"
2. Logout, and login with a LDAP user. Username **must** be used, logging in with email will not work. 2. Logout, and login with a LDAP user. Username **must** be used, logging in with email will not work.
## authentik Configuration ## OIDC Configuration
No additional authentik configuration needs to be configured. Follow the LDAP outpost instructions to create an LDAP outpost and configure access via the outpost ### authentik Configuration
**Provider Settings**
In authentik under **Providers**, create an OAuth2/OpenID Provider with these settings:
- Name: `jellyfin`
- Redirect URI: `https://jellyfin.company/sso/OID/redirect/authentik`
Everything else is up to you, just make sure to grab the client ID and the client secret!
:::note
The last part of the URI is the name you use when making the provider in Jellyfin so make sure they are the same.
:::
**Application Settings**
Create an application that uses `jellyfin` provider. Optionally apply access restrictions to the application.
Set the launch URL to `https://jellyfin.company/sso/OID/start/authentik`
### Jellyfin Configuration
1. Navigate to your Jellyfin installation and log in with the admin account or currently configured local admin.
2. Open the **Administrator dashboard** and go to the **Plugins** section.
3. Then click the **Repositories** section at the top and add the below repository with the name of SSO-Auth
```
https://raw.githubusercontent.com/9p4/jellyfin-plugin-sso/manifest-release/manifest.json
```
4. Click the **Catalog** tab on top and install the SSO-Auth with the most recent version.
5. Restart the Jellyfin server.
6. Go back to the plugin tab.
7. Click the SSO-Auth plugin.
8. Fill out the Add / Update Provider Configuration:
- Name of OID Provider: `authentik`
- OID Endpoint: `https://authentik.company/application/o/jellyfin/.well-known/openid-configuration`
- OpenID Client ID: ClientID from provider
- OID Secret: Client Secret from provider
- Enabled: **CHECKED**
- Enable Authorization by Plugin: **CHECKED**
9. If you want to use the role claim then also fill out these:
- Roles: roles to look for when authorizing access (should be done through authentik instead)
- Admin Roles: roles to look for when giving admin privilege
- Role Claim: `groups`
10. Hit **Save** at the bottom.
11. On the left side now click the **General** under dashboard and go to **Branding**.
12. In the login disclaimer put this code and making sure to change the url at the top:
```
<form action="https://jellyfin.company/sso/OID/start/authentik">
<button class="raised block emby-button button-submit">
Sign in with SSO
</button>
</form>
```
13. In the Custom CSS code also add this:
```
a.raised.emby-button {
padding:0.9em 1em;
color: inherit !important;
}
.disclaimerContainer{
display: block;
}
```
14. Click **Save** at the bottom & restart the server.
15. When you are signed out you should now see a **Sign in with SSO** button.
:::note
If you have problems check your logs which are under the **Administration** -> **Dashboard** then "logs" and will be near the bottom (most likely) with `Jellyfin.Plugin.SSO_Auth.` as the start of the lines you are looking for.
:::