Zitadel setup guide

[aldervall]

SSO Login Guide for Jellyfin with ZITADEL

1. Create a New Project in ZITADEL

1. Login to your ZITADEL instance.
2. Create a new project and name it whatever you like.

2. Configure the Project for Code Flow

Choose CODE as the flow type.

Redirect URIs

Add the following Redirect URIs:

• https://jellyfin.YOURSERVER.COM/sso/OID/r/zitadel
• https://jellyfin.YOURSERVER.COM/sso/OID/redirect/zitadel

Post Logout URIs

Add the following Post Logout URI:

• https://jellyfin.YOURSERVER.COM

Press Continue and Create.

3. Copy Credentials

• Copy your Client Secret and Client ID for later use.

4. Configure Roles in ZITADEL

1. Mark Assert Roles on Authentication.
2. Mark Check authorization on Authentication and press Save.
3. Go to the Roles section.

Create Groups

Create the following three groups:

• jellyfin_user
• jellyfin_tv
• jellyfin_admin

. Go to your Organization and Copy your Organization's Resource ID from ZITADEL.

5. Set Up SSO in Jellyfin

1. Go to Jellyfin and download/setup the SSO plugin.
2. Add the following configuration:

OID Endpoint:

• https://zitadel.YOURSERVER.COM/.well-known/openid-configuration

`

OpenID Client ID:

• Add your Client ID from Zitadel

OID Secret:

• Add your Client Secret from Zitadel

Example Role Mappings

Here are example role mappings to use in your configuration:
Change it to your organization: {"jellyfin_tv":{"{ORGANIZATIONID":"{PRIMARYDOMAIN.COM}"}}

{"jellyfin_user":{"265153045849972739":"{demo-vendor.com}"}}
{"jellyfin_tv":{"265153045849972739":"{demo-vendor.com}"}}
{"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}}

Admin Roles:

Change it to your organization: {"jellyfin_admin":{"{ORGANIZATIONID":"{PRIMARYDOMAIN.COM}"}}

{"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}}

Live TV Roles:

{"jellyfin_tv":{"265153045849972739":"{demo-vendor.com}"}}
{"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}}

Live TV Management Roles:

Change it to your organization: {"jellyfin_tv":{"{ORGANIZATIONID":"{PRIMARYDOMAIN.COM}"}}

{"jellyfin_tv":{"265153045849972739":"{demo-vendor.com}"}}
{"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}}

Scopes and Claims

Add the following scopes and claims:

• Role Claims:

urn:zitadel:iam:org:project:{projectResourceId}:roles

• Scopes:

openid
email
profile
urn:zitadel:iam:org:project:id:zitadel:aud
urn:zitadel:iam:org:project:{projectResourceId}:roles

• Set default Provider:

Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider

• Set default username claim:

preferred_username

• Scheme Override:
  I'm configuring mine to use HTTPS, but your setup might be different.

 https

Save the configuration**:

6. Add Users in ZITADEL

• Add users to the project to authenticate and ad them to a role.

I've encountered issues when assigning two roles to a single user in Zitadel. Jellyfin will responds with a 'Permission Denied' error.

7. Test the SSO Setup

1. Go to:

https://jellyfin.YOURSERVER.com/sso/OID/start/zitadel

2. Try to login with SSO to verify the setup.

[9p4]

If you're willing, would you like to create a PR to add this to the official docs? https://github.com/9p4/jellyfin-plugin-sso/blob/main/providers.md

[ilbarone87]

@aldervall thank you very much for this guide! I've tried to set it up too with zitadel but I seem to be stuck on error "Error. Check permissions." when trying to access https://jellyfin.mydomain.net/sso/OID/start/zitadel

This is my xml:

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SamlConfigs />
  <OidConfigs>
    <item>
      <key>
        <string>zitadel</string>
      </key>
      <value>
        <PluginConfiguration>
          <OidEndpoint>https://zitadel.mydomain.net/.well-known/openid-configuration</OidEndpoint>
          <OidClientId>291603344764502395</OidClientId>
          <OidSecret>SUPERSECRETDOMAIN</OidSecret>
          <Enabled>true</Enabled>
          <EnableAuthorization>true</EnableAuthorization>
          <EnableAllFolders>true</EnableAllFolders>
          <EnabledFolders />
          <AdminRoles>
            <string>{"jellyfin_admin":{"259430593291419955":"{myorg.zitadel.mydomain.net}"}}</string>
          </AdminRoles>
          <Roles>
            <string>{"jellyfin_admin":{"259430593291419955":"{myorg.zitadel.mydomain.net}"}}</string>
          </Roles>
          <EnableFolderRoles>false</EnableFolderRoles>
          <EnableLiveTvRoles>false</EnableLiveTvRoles>
          <EnableLiveTv>false</EnableLiveTv>
          <EnableLiveTvManagement>false</EnableLiveTvManagement>
          <LiveTvRoles>
            <string>{"jellyfin_admin":{"259430593291419955":"{myorg.zitadel.mydomain.net}"}}</string>
          </LiveTvRoles>
          <LiveTvManagementRoles>
            <string>{"jellyfin_admin":{"259430593291419955":"{myorg.zitadel.mydomain.net}"}}</string>
          </LiveTvManagementRoles>
          <FolderRoleMappings />
          <RoleClaim>urn:zitadel:iam:org:project:{291603061934129531}:roles</RoleClaim>
          <OidScopes>
            <string>openid</string>
            <string>email</string>
            <string>profile</string>
            <string>urn:zitadel:iam:org:project:id:zitadel:aud</string>
            <string>urn:zitadel:iam:org:project:{291603061934129531}:roles</string>
          </OidScopes>
          <DefaultProvider>Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider</DefaultProvider>
          <SchemeOverride>https</SchemeOverride>
          <NewPath>true</NewPath>
          <CanonicalLinks />
          <DefaultUsernameClaim>preferred_username</DefaultUsernameClaim>
          <DisableHttps>false</DisableHttps>
          <DoNotValidateEndpoints>false</DoNotValidateEndpoints>
          <DoNotValidateIssuerName>false</DoNotValidateIssuerName>
        </PluginConfiguration>
      </value>
    </item>
  </OidConfigs>
</PluginConfiguration>

Log from Jellyfin
[2024-10-30 17:26:07.289 +00:00] [WRN] OpenID user "259430593291485491" has one or more incorrect role claims: [{ Type: "amr", Value: "user" }, { Type: "amr", Value: "mfa" }, { Type: "azp", Value: "291603344764502395" }, { Type: "client_id", Value: "291603344764502395" }, { Type: "email", Value: "zitadel-admin-sa@zitadel.mydomain.net" }, { Type: "email_verified", Value: "True" }, { Type: "family_name", Value: "admin" }, { Type: "gender", Value: "male" }, { Type: "given_name", Value: "admin" }, { Type: "groups", Value: "jellyfin_admin" }, { Type: "locale", Value: "en" }, { Type: "name", Value: "admin admin" }, { Type: "nickname", Value: "nickname" }, { Type: "preferred_username", Value: "zitadel-admin-sa@zitadel.mydomain.net" }, { Type: "sid", Value: "V1_291600807009190267" }, { Type: "sub", Value: "259430593291485491" }, { Type: "updated_at", Value: "1711129531" }, { Type: "urn:zitadel:iam:org:project:291603061934129531:roles", Value: "{\"jellyfin_admin\":{\"259430593291419955\":\"myorg.zitadel.mydomain.net\"}}" }, { Type: "urn:zitadel:iam:org:project:roles", Value: "{\"jellyfin_admin\":{\"259430593291419955\":\"myorg.zitadel.mydomain.net\"}}" }, { Type: "email_verified", Value: "true" }]. Expected any one of: ["{\"jellyfin_admin\":{\"259430593291419955\":\"{myorg.zitadel.mydomain.net}\"}}"]

Something to notice: if I remove the Roles mapping I can login without issue (user doesn't have any permission and that's expected) but still is a problem since manually given permissions just get overwritten every log in.

[ilbarone87]

Still same.
Have also added another domain and tried {"jellyfin_admin":{"{ORGANIZATIONID":"{PRIMARYDOMAIN.COM}"}} with zitadel.mydomain.net. Still same error

[ilbarone87]

Do you mind dropping me your SSO-Auth.xml (cleaned from your personal details) so i can compare it please?

[aldervall]

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SamlConfigs />
  <OidConfigs>
    <item>
      <key>
        <string>zitadel</string>
      </key>
      <value>
        <PluginConfiguration>
          <OidEndpoint>https://example.com/.well-known/openid-configuration</OidEndpoint>
          <OidClientId>CLIENT_ID_PLACEHOLDER</OidClientId>
          <OidSecret>SECRET_PLACEHOLDER</OidSecret>
          <Enabled>true</Enabled>
          <EnableAuthorization>true</EnableAuthorization>
          <EnableAllFolders>true</EnableAllFolders>
          <EnabledFolders />
          <AdminRoles>
            <string>{"jellyfin_admin":{"ROLE_ID_PLACEHOLDER":"example.com"}}</string>
          </AdminRoles>
          <Roles>
            <string>{"jellyfin_user":{"ROLE_ID_PLACEHOLDER":"example.com"}}</string>
            <string>{"jellyfin_tv":{"ROLE_ID_PLACEHOLDER":"example.com"}}</string>
            <string>{"jellyfin_admin":{"ROLE_ID_PLACEHOLDER":"example.com"}}</string>
          </Roles>
          <EnableFolderRoles>false</EnableFolderRoles>
          <EnableLiveTvRoles>true</EnableLiveTvRoles>
          <EnableLiveTv>false</EnableLiveTv>
          <EnableLiveTvManagement>false</EnableLiveTvManagement>
          <LiveTvRoles>
            <string>{"jellyfin_tv":{"ROLE_ID_PLACEHOLDER":"example.com"}}</string>
            <string>{"jellyfin_admin":{"ROLE_ID_PLACEHOLDER":"example.com"}}</string>
          </LiveTvRoles>
          <LiveTvManagementRoles>
            <string>{"jellyfin_admin":{"ROLE_ID_PLACEHOLDER":"example.com"}}</string>
            <string>{"jellyfin_tv":{"ROLE_ID_PLACEHOLDER":"example.com"}}</string>
          </LiveTvManagementRoles>
          <FolderRoleMappings />
          <RoleClaim>urn:zitadel:roles</RoleClaim>
          <OidScopes>
            <string>openid</string>
            <string>email</string>
            <string>profile</string>
            <string>urn:zitadel:aud</string>
            <string>urn:zitadel:roles</string>
          </OidScopes>
          <DefaultProvider>Default.AuthenticationProvider</DefaultProvider>
          <SchemeOverride>https</SchemeOverride>
          <NewPath>true</NewPath>
          <CanonicalLinks>
            <item>
              <key>
                <string>test</string>
              </key>
              <value>
                <guid>GUID_PLACEHOLDER_1</guid>
              </value>
            </item>
            <item>
              <key>
                <string>example@example.com</string>
              </key>
              <value>
                <guid>GUID_PLACEHOLDER_2</guid>
              </value>
            </item>
            <item>
              <key>
                <string>username</string>
              </key>
              <value>
                <guid>GUID_PLACEHOLDER_3</guid>
              </value>
            </item>
            <item>
              <key>
                <string>another@example.com</string>
              </key>
              <value>
                <guid>GUID_PLACEHOLDER_4</guid>
              </value>
            </item>
            <item>
              <key>
                <string>user@example.com</string>
              </key>
              <value>
                <guid>GUID_PLACEHOLDER_5</guid>
              </value>
            </item>
          </CanonicalLinks>
          <DefaultUsernameClaim>preferred_username</DefaultUsernameClaim>
          <DisableHttps>false</DisableHttps>
          <DoNotValidateEndpoints>false</DoNotValidateEndpoints>
          <DoNotValidateIssuerName>false</DoNotValidateIssuerName>
        </PluginConfiguration>
      </value>
    </item>
  </OidConfigs>
</PluginConfiguration>

[ilbarone87]

minimal differences with mine. Have edited to match yours btw, still not working

[areitz86]

just tried the walkthrough. got the same results "Error. Check permissions."