You're right probably not everything will support SSO but you'll be surprised with how many actually do in some capacity.
Nextcloud, Mealie, Portainer, Proxmox, Jellyfin and by extension jellyseerr Are just some of the things I run that support it. And your *arrs could support it in some capacity by putting the proxy Auth in front and removing the password from the application.
I went for it because the applications other people use that I'd like to manage have the support for it.
Sure in my and most people's homelab it's overkill, but it's fun!
How does sso work with the jellyfin clients like the android and roku clients?
The whole point of a homelab is traditionally overkill, so I don’t think there is such a line :)
Too much for a home lab?
Is this a challenge? People here have better equipment at home than my isp does. Don’t challenge this sub lol
As you said: Not all of your containers will support SSO. Therefore, having Authentik in front does not bring that many benefits. You would still have to login to the proxy service regularly as of now. If the service supports basic auth though, you can passthrough those creds directly via Authentik.
Nonetheless, the service would sit behind Authentik. So it could be seen as an additional authentication wall or security measure to restrict unauthorized access. As everything runs on local lan or behind VPN, it's questionable whether Authentik is beneficial in your case.
For proxied services that support SSO, Authentik is great. The learning curve is a bit steep, due to custom namings like flows, binds etc. but once you get it, it's quite easy. If you want a more lightweight alternative, may have a look into Authelia.
I personally do not implement such auth providers due to the missing SSO support of many apps. I use a password manager nonetheless, so logging in is not really a hassle. I do use Authelia though in front of services that do not support any auth at all.
I just setup Authentik and it's definitely the most confusing self-hosted thing I've setup thus far. But eventually with YouTube tutorials and a lot of Googling, I got the gist of it.
But as others have pointed out, you can only really use it with some services. I use it with the *arrs and with Homepage.
I mostly wanted to try it because Homepage doesn't support any authentication at all. So it was this or basic auth via NPM.
Authentik rules, highly recommend. Its a nice to have for a homelab, but definitely not required (it does take a lot of configuration to get correct).
I use Authentik exclusively for Immich and I have no regrets. The application is wonderful and I can use for other things if needed.
Immich is the only service that I host and expose that contains important data, so having the SSO (which I also have 2FA) already adds a lot of comfort to my mind.
edit: after reading some comments I believe my experience was a little bit different than from most of the people.
I'm using docker to host it in my local server and I expose it through Headscale + Tailscale + Nginx (exposed as well).
I agree that it could be overkill depending on your use cases but, as someone that isn't that experienced, I didn't have any problems with setting it up.
Creating the app for Immich was also simple for me and I just followed the docs briefly.
Of course, as I'm mentioning since the start, I'm using a single application which supports SSO by default, so I understand a lot of people having problems with it.
You're right probably not everything will support SSO but you'll be surprised with how many actually do in some capacity.
Nextcloud, Mealie, Portainer, Proxmox, Jellyfin and by extension jellyseerr Are just some of the things I run that support it. And your *arrs could support it in some capacity by putting the proxy Auth in front and removing the password from the application.
I went for it because the applications other people use that I'd like to manage have the support for it.
Sure in my and most people's homelab it's overkill, but it's fun!
How does sso work with the jellyfin clients like the android and roku clients?
More replies
More replies
The whole point of a homelab is traditionally overkill, so I don’t think there is such a line :)
Too much for a home lab?
Is this a challenge? People here have better equipment at home than my isp does. Don’t challenge this sub lol
As you said: Not all of your containers will support SSO. Therefore, having Authentik in front does not bring that many benefits. You would still have to login to the proxy service regularly as of now. If the service supports basic auth though, you can passthrough those creds directly via Authentik.
Nonetheless, the service would sit behind Authentik. So it could be seen as an additional authentication wall or security measure to restrict unauthorized access. As everything runs on local lan or behind VPN, it's questionable whether Authentik is beneficial in your case.
For proxied services that support SSO, Authentik is great. The learning curve is a bit steep, due to custom namings like flows, binds etc. but once you get it, it's quite easy. If you want a more lightweight alternative, may have a look into Authelia.
I personally do not implement such auth providers due to the missing SSO support of many apps. I use a password manager nonetheless, so logging in is not really a hassle. I do use Authelia though in front of services that do not support any auth at all.
I use authelia and lldap.
Tried Authentik, it used too much memory.
More replies
I just setup Authentik and it's definitely the most confusing self-hosted thing I've setup thus far. But eventually with YouTube tutorials and a lot of Googling, I got the gist of it.
But as others have pointed out, you can only really use it with some services. I use it with the *arrs and with Homepage.
I mostly wanted to try it because Homepage doesn't support any authentication at all. So it was this or basic auth via NPM.
More replies
Authentik rules, highly recommend. Its a nice to have for a homelab, but definitely not required (it does take a lot of configuration to get correct).
I use Authentik exclusively for Immich and I have no regrets. The application is wonderful and I can use for other things if needed.
Immich is the only service that I host and expose that contains important data, so having the SSO (which I also have 2FA) already adds a lot of comfort to my mind.
edit: after reading some comments I believe my experience was a little bit different than from most of the people.
I'm using docker to host it in my local server and I expose it through Headscale + Tailscale + Nginx (exposed as well).
I agree that it could be overkill depending on your use cases but, as someone that isn't that experienced, I didn't have any problems with setting it up.
Creating the app for Immich was also simple for me and I just followed the docs briefly.
Of course, as I'm mentioning since the start, I'm using a single application which supports SSO by default, so I understand a lot of people having problems with it.
More replies