I’m considering adding an SSO process in front of my self-hosted apps such as Nextcloud, Calibre-Web and Immich. The thing I’m thinking about, is do I need to make two accounts for each user I want to add? If I have a new user, do I need to make an account for both the SSO provider and the protected app such as Nextcloud? Or does Nextcloud (or some other app) automatically create a new account upon the first authentication with the SSO provider?
Also, which SSO provider do y’all recommend? I would like to have one with a web UI where I can manage the users :)
I use Authelia, and my users are backed by my LDAP server. I basically managed my users directly in LDAP through Apache Directory Studio. If you want something with built-in user management, I believe Keycloak might be a good place to start.
Also, you can use Nextcloud as an OIDC provider and let it be your SSO provider. For apps that don’t support OIDC, you may be able to put them behind OAuth2Proxy and point that your Nextcloud.
It depends on the protected app. Some let you delegate to external auth and will create the account (e.g. Nextcloud) and others may expect some kind of HTTP header containing an identifier to associate with an existing local user (e.g Calibre Web). Most apps I’ve worked with that support OAuth2 usually handle creating the account in the app automatically - the app takes care of that, not the SSO provider.
You’d need to read the docs for the apps you want to have behind SSO to see how each works with external users.
If the app supports SSO and allows user creation, then it’s just a matter of passing the user claims such as username or email which the app expects from your provider.
I use Authentik as my solution, which uses a GUI for user management and supports all major SSO options, from MFA, to OIDC, SAML, LDAP and more.
I use user_oidc on one of my nextcloud instance. It has auto provisioning support, which will create nextcloud user on first login.
- set up a LDAP directory server (i use openldap)
- create users on the LDAP directory server
- setup all services/applications to authenticate users aginst the LDAP server
I ended up just making my own helper container for authelia. It can generate a link that expires after a set time and only allows a set number of users to access. Then I can just give the link to whoever I want to join and they can fill in their own username and pwd. It then adds them to the authelia user db with the correct groups and PW hashing. Only issue is I have to manually restart authelia for the changes to take effect. Eventually I want to see if I can automate that.
I’m still working on editing the configuration through the app though. I want to be able to change the access control rules, etc.
As far as having the services behind authelia automatically detect and login the user, that will depend on the service, but authelia does pass user credentials and login status in the request headers. Many of the services I host were created myself, so it’s pretty trivial to have it automatically “log in” from the authelia sign on.