Mastodawn

What Self-Hosted Single Sign-On (SSO) do you use?

https://jemmy.jeena.net/post/49166

What Self-Hosted Single Sign-On (SSO) do you use? - Jemmy

I have a lot of different services which I self host for me and my family like: - PeerTube - Lemmy - Mastodon - Synology NAS - TTRSS - NextCloud - Matrix - HomeAssistant - etc. Right now every family member needs to create a user on each of those services and have a different password on them, which is OK when you use a Password Manager, but most of my extended family members don’t. And they often forget their password and stop using the service because they can’t figure out how to reset the password with each and every service. I would like to try to consolidate all of it with a Single Sign-On (SSO) solution but It’s not obvious to me if there is one which is not overly over engineered for hundreds of thousands of users but small and lightweight, perhaps even easy to set up. I tried OpenLDAP but Jesus that was very involved.

Jeena Jul 21, 2023

So I was able to test NextCloud as the provider with PeerTube as the client and it works but there is no way to connect this new login with a already existing user which is terrible 😭 . To get this working I would need to create new users and then move all the videos to those new users.

I gues this problem exists with every of those services which my family already has in use … so it’s mostly practical for new services I guess?

0110010001100010 Jul 21, 2023

Following since I’m new to Lemmy and not sure how to or even if I can save a post. I too am looking for something. I spun up authentik but was quickly overwhelmed with what to do after that, lol. I made it as far as logging in then got…lost no matter what tutorials I tried to follow.

warmaster Jul 21, 2023

cosmos-cloud.io

Maybe try this ? Looks to be focused on simplicity and ease of use.

Cosmos Cloud

Private and secure cloud computing solutions for homes and businesses of all sizes.

Deebster Jul 25, 2023

You can star comments or posts to save them, it might be under the ... menu. You can view your saved posts in your profile.

nbailey Jul 21, 2023

Keycloak is decent. It has its own built in user database, or it can connect to an “upstream” idp like AD, GitHub, google, fb, basically anything that speaks openid or SAML. Then, it can act as an idp to each service you run. It is a bit of a chore to configure, but compared to other SSO servers it’s pretty good (looking at you shibboleth)

pezhore Jul 21, 2023

After about a year of using Keycloak for some #dayjob side projects, I literally just stood it up in my homelab.

It does have a learning curve, but it supports OIDC and SAML - those two should get most internal services covered.

Back end can federate with AD or LDAP - for the real stinkers who refuse to support SSO. (Looking at you Netbox)

Distributed Jul 21, 2023

Lol, our main initiative at work right now is migrating our on prem auth to keycloak.

redcalcium Jul 21, 2023

I use keycloak. Pretty steep learning curve, but once properly set up, it can do pretty much anything.

But if you’re in a pinch, NextCloud can act as an OIDC auth provider out of the box.

Jeena Jul 21, 2023

NextCloud can act as an OIDC auth provider out of the box.

Oh, I did not know that, I’ll have a look, thanks!

redcalcium Jul 21, 2023

Here is the documentation, pretty bare though: docs.nextcloud.com/server/latest/…/oauth2.html

OAuth2 — Nextcloud latest Administration Manual latest documentation

warmaster Jul 21, 2023

Damn, what does Nextcloud NOT do ?

monotux Jul 22, 2023

What. That’s amazing!

Outcide Jul 21, 2023

At the moment I only use lldap. I’ll probably add Authelia at some point …

chandz05 Jul 23, 2023

I use Authelia with lldap and it’s pretty straightforward to setup. Once Authelia is up and running, it’s quite nice managing users and groups through the lldap interface

chiisana Jul 21, 2023

I started trying out FusionAuth and it’s been pretty neat. I off-load my auth to Google because I don’t want yet another username/password nor do I want to be responsible in storing it, but you can certainly use built-in auth if your objective is to stop using external auth. I currently have my Kasm Workspace deployed behind it, so when user lands on Kasm, they get bounced to FusionAuth where there’s a login prompt and Login w/ Google button; when they authenticate (be it through built-in auth or Google in my case), they get bounced back to Kasm Workspace in their account. This was deployed using docker compose, so I just annotate containers I want to protect w/ some labels, traefik handles all the glue work. I really like the way it worked out.

I’d imagine something like Authelia, which gets pushed a lot as well, would be able to offer a similar if not identical workflow.

For Lemmy, at this time, I don’t think it is possible to gate it like that, otherwise inbound federation (i.e.: comment replies to this post) won’t make it into your instance.

citizen Jul 21, 2023

I started integrating Authentik lately based on seeing people recommend it. It has pretty steep learning curve. I had to follow tutorials and even then each integration have its own quirks. I got stuck on integrating my internal e-mail server with ldap provider (via authentik). It’s definitely capable but it’s a project to integrate all services.

Joe Jul 21, 2023

I switched from Keycloak to Authentik because I thought it would be simpler. In some ways it is, but in others it so isn’t.

Still like it though.

btobolaski Jul 21, 2023

I really like Authentik after using keycloak for quite a while.

warmaster Jul 21, 2023

How would you compare it ?

Lem453 Jul 21, 2023

Other SSO options are just a tough if not more complex than authentik. If you use docker and are self hosting, this is a great option. Provides basically every SSO option to connect all your services, especially if you combine it with a good reverse proxy like traefik to provide SSO to simple webapps.

gabe565 Jul 21, 2023

+1 for Authentik! It definitely has a steep learning curve, but once you get comfortable with it, it’s really versatile. The integration docs have tons of walkthroughs for setting up Authentik with different apps which is epecially helpful when getting started.

Applications | authentik

Below is a list of all applications that are known to work with authentik.

DolceTriade Jul 21, 2023

I’ve found Zitadel to be the best open source Oauth2 provider. It also supports terraform for a fully IaC approach to declaring your users and their permissions.

Onion6068 Jul 21, 2023

I can only support that. This is what I am running for my small business as well and it’s been super smooth for roughly a year now! Especially self service and auto-registering based on domain names turned out to be really nice features (for a business). In my homelab I just enjoy having a nice ui.

https://github.com/zitadel/zitadel

https://zitadel.com/

I came from Authentik which was nice too but nowhere as feature rich as zitadel.

GitHub - zitadel/zitadel: ZITADEL - Identity infrastructure, simplified for you.

ZITADEL - Identity infrastructure, simplified for you. - zitadel/zitadel

GitHub

nickwitha_k (he/him)Jul 21, 2023

I’d suggest something like Keycloak or earning the wizard robe and beard by buckling down and learning OpenLDAP. The biggest suggestion that I have though is to have a disaster recovery plan for even your auth system goes down. Don’t be like Facebook and lock yourself out without any hope of regaining entry (or, if you’re a fan of Russian Roulette, do).

Deebster Jul 25, 2023

What's your DR plan? My "plan" is to SSH in and figure out what's wrong.

nickwitha_k (he/him)Jul 26, 2023

I’m still trying to cover up with a good one to allow more self-hosting. Probably a SHTF security key kept in a safe that can be used with physical access.

My “plan” is to SSH in and figure out what’s wrong.

The problem here being that you have a circular dependency:

SSH auth requires OpenLDAP/Keycloak

SSH access is required to fix broken OpenLDAP/Keycloak

GOTO 1

Deebster Jul 27, 2023

My SSH auth uses SSH keys stored in authorized_keys, but I see your point. For me, OpenLDAP will be letting users in to the various services and SSH is outside that. I suppose SFTP could be something I want, but I'd be tempted to put a new sshd inside a container and have it more restricted than the system one.

I think the backup key idea is definitely the most broadly applicable, but there's physical/KVM for a more old school access route.

nickwitha_k (he/him)Jul 27, 2023

That makes sense. I like the idea of combining physical key with physical/KVM access so that there is no password auth (at least, not without a second factor).

nakal Jul 21, 2023

I used plain Kerberos. I stopped, because sometimes I don't want to be logged in automatically. Privacy and multi-account systems get more difficult.

loke Jul 21, 2023

Same. I still use Kerberos, but I use kinot manually when I want to authenticate. It does force me to type the password more often but the benefits outweigh that.

Ananace Jul 21, 2023

Personally using Dex, it’s about as lightweight as you can get, it can be configured with a single configuration file on disk, and it runs entirely stateless as well.

It only deals with authentication delegation though, unlike larger systems like Keycloak.

Dex

Federate Identity Provider

Dex

RegalPotoo Jul 21, 2023

I use Keycloak and OpenLDAP, but if I was setting it up again I’d probably just use Authentik

poVoq Jul 21, 2023

github.com/lldap/lldap is nice and easy.

GitHub - lldap/lldap: Light LDAP implementation

Light LDAP implementation. Contribute to lldap/lldap development by creating an account on GitHub.

GitHub

philwinder Jul 21, 2023

Might not be quite what you want, but if you just need to block all access to everything unless logged in, then integrating a hosted SSO into your ingress is a simple, low management option.

I've been using an old trafeik setup with Google's SSO, whitelisting certain accounts, and had no problems with it for years.

yiliu Jul 21, 2023

What I would dearly like is an SSO system that can also act as a drop-in replacement for Kerberos. Existing krb5 servers (on Linux) are ancient, quirky, and underdocumented, but kerberos is so useful at a CLI level. I’ve always maintained separate LDAP & Kerberos instances, and the thing stopping me from moving to something more modern is that I’m holding out for that kerberos feature…

monotux Jul 22, 2023

I use authelia. It’s pretty straight forward to get started with, I just use the yaml user file and a SQLite database for sessions. I’m running it in podman with auto updates enabled for the tag I’m using (can’t remember which tag, but not latest).

I then use their tutorials as a base for the systems I want to use oidc with (grafana, miniflux…), or just redirect traffic through my reverse proxy to services that lacks proper authentication (looking at you, *arr stack).

I use caddy and traefik for reverse proxy, and it’s very simple to use forward_auth and similar with it.

It took an evening to figure it out but it’s well worth it!

namelivia Jul 22, 2023

I use Pomerium! www.pomerium.com/docs

What is Pomerium? | Pomerium

Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN.

merely rhys Jul 27, 2023

@jeena I think considering it just an SSO solution would be doing it wrong, but Authelia works for my use cases: https://www.authelia.com

I use it by sticking it in front of everything on my domain that I want to require me to authenticate with my YubiKey. Auth once against it for any of my services and I'm authed against them all. Very handy in combination with my dashy dashboard.

Authelia

Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal. Authelia is an OpenID Connect 1.0 Provider which is OpenID Certified™ allowing comprehensive integrations, and acts as a companion for common reverse proxies.

Authelia