Beginner with SSO and Authentik. What to do next ?

[LeVraiRoiDHyrule]

Hi,

I'm new with SSO and Authentik. I have a fully functionnal installation and for now, I've only setup it for Portainer as it was explained in Authentik's docs. The end goal is to secure all my apps behind it, with OIDC when available or proxy if not. I'm now looking to secure Jellyfin but I'm confused.

I followed the steps here : https://github.com/9p4/jellyfin-plugin-sso/blob/main/providers.md#authentik but now I'm unsure what to do next. I guess I should follow this : https://github.com/9p4/jellyfin-plugin-sso#limitations but I don't know how to do this.

It probably comes from my extremely limited knowledge of OIDC and Authentik, but I don't know with which of my app I should start learning. Jellyfin doesn't seem too complicated so I guess it makes sense to begin with jellyfin. The end goal would be to have all of my users login through Authentik, with, if possible, groups of users which will have different library access and admin rights. I don't know if this is the right place, but could someone with more knowledge guide me a bit on the next steps ?

Thanks in advance for any help, resource, or answer. Have a great day !

[9p4]

Hey! Can you post what config you have for the plugin so far?

[LeVraiRoiDHyrule]

Hey! Can you post what config you have for the plugin so far?

Of course ! Here is my config:

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SamlConfigs />
  <OidConfigs>
    <item>
      <key>
        <string>Authentik</string>
      </key>
      <value>
        <PluginConfiguration>
          <OidEndpoint>https://auth.mydomain.fr/application/o/jellyfin</OidEndpoint>
          <OidClientId>[redacted]</OidClientId>
          <OidSecret>[redacted]</OidSecret>
          <Enabled>true</Enabled>
          <EnableAuthorization>false</EnableAuthorization>
          <EnableAllFolders>false</EnableAllFolders>
          <EnabledFolders />
          <AdminRoles />
          <Roles />
          <EnableFolderRoles>false</EnableFolderRoles>
          <FolderRoleMappings />
          <RoleClaim>groups</RoleClaim>
          <OidScopes>
            <string>["groups"]</string>
          </OidScopes>
          <CanonicalLinks />
        </PluginConfiguration>
      </value>
    </item>
  </OidConfigs>
</PluginConfiguration>

In Authentik, I've setup an application, a provider and a scope maping. I've setup it as it is told in the guide. But to be honest I don't understand most of Authentik settings for now, I just began using it. So I'm starting to learn with Jellyfin to then be able to do it on my own on other services.

[LeVraiRoiDHyrule]

Hi, do you know what I should set up to have a fully functional solution?

[9p4]

Sorry for the late reply, but what does you Authentik config look like?

[LeVraiRoiDHyrule]

Sorry for the late reply, but what does you Authentik config look like?

Hi,

My Authentik config is configured exactly as it is explained in the guide. I did nothing more nor less. I have an app and a provider set up for Jellyfin as well as a property mapping.

But I don't know what I should do next to have my users login through authentik. I'm new to all this.

Have a great day

[9p4]

You want to have your users go to https://yourjellyfin.example.com/sso/OID/p/Authentik (assuming that your Jellyfin is not under a subdomain).

[LeVraiRoiDHyrule]

Ok it works thanks. I have some questions :

• Is there a way to make jellyfin redirect automatically to this url instead of its base login page ?
• How can I have this enabled and still allow my users to connect through apps like the Kodi plugin ? By making an ldap connection in Jellyfin ? Is there other ways ?
• How can I have user groups with different permissions in Authentik and have the permissions in jellyfin done automatically according to that ? For example if I set a user to group X, it has access to these media collection with those rights, or if I set it as admin in authentik it has full access ?

I'm sorry if my questions aren't that clear. Are those behaviour possible ? Thanks in advance for any answer, have a great day.

[9p4]

1. Document How to set login disclaimer + branding css to add SSO links to frontpage #16
2. From Integrate with Kodi Login #70 , set the fallback provider to LDAP that also points to your SSO provider
3. See the adminRoles config. Jellyfin will only set the group to full access if the group is specified here.