this post was submitted on 27 Jan 2024
18 points (100.0% liked)

Selfhosted

40313 readers
287 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm considering adding an SSO process in front of my self-hosted apps such as Nextcloud, Calibre-Web and Immich. The thing I'm thinking about, is do I need to make two accounts for each user I want to add? If I have a new user, do I need to make an account for both the SSO provider and the protected app such as Nextcloud? Or does Nextcloud (or some other app) automatically create a new account upon the first authentication with the SSO provider?

Also, which SSO provider do y'all recommend? I would like to have one with a web UI where I can manage the users :)

you are viewing a single comment's thread
view the rest of the comments
[–] brewery@lemmy.ml 1 points 9 months ago

I found that it really depends on the app and how they've set it up. For the vast majority, the users in your SSO will be added to the other app when they first login. I use Authentik and Nextdoor, and the user is automatically created from details from Authentik. Generally you can enable multiple login types so can play with SSO whilst still enabling access until it works. You can usually switch off non-SSO access afterwards too.

You set which field defines the user (e.g. username or email). If there is already a user then it'll just login to that account you already created, so you can also create a user in both.

You can limit access to certain groups of users in Authentik. You can also setup headers that get passed along to apps (e.g. in Nextcloud you can setup a size limit for each group that gets passed on to Nextcloud when they first register - the Authentik or Nextcloud documentation tells you how).

I found quite a few apps don't have SSO functionality, and I usually end up doing a reverse proxy pass through Authentik. Nginx Proxy Manager first goes to Authentik, you login then it'll pass you to the app. If already logged into Authentik, NPM takes you directly to the app. I switched off login altogether on the apps, especially for tools where you don't need users (e.g. Stirling PDF). Only logged users get to the app. Authentik can forward any headers you set so I have a feeling you can use it for the app's own login (though not new users) but not managed to work it out.

One app I tried recently had SSO but you couldn't enable access to the main household for new SSO users so had to create an account in the app first, then SSO would let users login. I ended up not using that app for other reasons anyway.

I do recommend Authentik and you can setup access one by one so definitely try it and see.