I have a lot of different services which I self host for me and my family like:
- PeerTube
- Lemmy
- Mastodon
- Synology NAS
- TTRSS
- NextCloud
- Matrix
- HomeAssistant
- etc.
Right now every family member needs to create a user on each of those services and have a different password on them, which is OK when you use a Password Manager, but most of my extended family members don’t. And they often forget their password and stop using the service because they can’t figure out how to reset the password with each and every service.
I would like to try to consolidate all of it with a Single Sign-On (SSO) solution but It’s not obvious to me if there is one which is not overly over engineered for hundreds of thousands of users but small and lightweight, perhaps even easy to set up.
I tried OpenLDAP but Jesus that was very involved.
You must log in or register to comment.
I’m using Authentik with openID or saml for all my sso. I don’t want to ever touch LDAP.
I use keycloak. Pretty steep learning curve, but once properly set up, it can do pretty much anything.
But if you’re in a pinch, NextCloud can act as an OIDC auth provider out of the box.
Damn, what does Nextcloud NOT do ?
What. That’s amazing!
NextCloud can act as an OIDC auth provider out of the box.
Oh, I did not know that, I’ll have a look, thanks!
Here is the documentation, pretty bare though: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/oauth2.html
I use Pomerium! https://www.pomerium.com/docs
I use Keycloak and OpenLDAP, but if I was setting it up again I’d probably just use Authentik
So I was able to test NextCloud as the provider with PeerTube as the client and it works but there is no way to connect this new login with a already existing user which is terrible 😭 . To get this working I would need to create new users and then move all the videos to those new users.
I gues this problem exists with every of those services which my family already has in use … so it’s mostly practical for new services I guess?
Might not be quite what you want, but if you just need to block all access to everything unless logged in, then integrating a hosted SSO into your ingress is a simple, low management option.
I’ve been using an old trafeik setup with Google’s SSO, whitelisting certain accounts, and had no problems with it for years.
What I would dearly like is an SSO system that can also act as a drop-in replacement for Kerberos. Existing krb5 servers (on Linux) are ancient, quirky, and underdocumented, but kerberos is so useful at a CLI level. I’ve always maintained separate LDAP & Kerberos instances, and the thing stopping me from moving to something more modern is that I’m holding out for that kerberos feature…
I started integrating Authentik lately based on seeing people recommend it. It has pretty steep learning curve. I had to follow tutorials and even then each integration have its own quirks. I got stuck on integrating my internal e-mail server with ldap provider (via authentik). It’s definitely capable but it’s a project to integrate all services.
+1 for Authentik! It definitely has a steep learning curve, but once you get comfortable with it, it’s really versatile. The integration docs have tons of walkthroughs for setting up Authentik with different apps which is epecially helpful when getting started.
Other SSO options are just a tough if not more complex than authentik. If you use docker and are self hosting, this is a great option. Provides basically every SSO option to connect all your services, especially if you combine it with a good reverse proxy like traefik to provide SSO to simple webapps.
If you are setting up a self hosted infrastructure and have some experience, I highly recommend checking out techno Tim’s “ssl everywhere” video for wild card ssl with traefik and then combine that with authentik for SSO with both local only and internet accessible apps.
I really like Authentik after using keycloak for quite a while.
How would you compare it ?
Keycloak is decent. It has its own built in user database, or it can connect to an “upstream” idp like AD, GitHub, google, fb, basically anything that speaks openid or SAML. Then, it can act as an idp to each service you run. It is a bit of a chore to configure, but compared to other SSO servers it’s pretty good (looking at you shibboleth)
Lol, our main initiative at work right now is migrating our on prem auth to keycloak.
After about a year of using Keycloak for some #dayjob side projects, I literally just stood it up in my homelab.
It does have a learning curve, but it supports OIDC and SAML - those two should get most internal services covered.
Back end can federate with AD or LDAP - for the real stinkers who refuse to support SSO. (Looking at you Netbox)
I used plain Kerberos. I stopped, because sometimes I don’t want to be logged in automatically. Privacy and multi-account systems get more difficult.
Same. I still use Kerberos, but I use kinit manually when I want to authenticate. It does force me to type the password more often but the benefits outweigh that.
https://github.com/lldap/lldap is nice and easy.
I’ve found Zitadel to be the best open source Oauth2 provider. It also supports terraform for a fully IaC approach to declaring your users and their permissions.
I can only support that. This is what I am running for my small business as well and it’s been super smooth for roughly a year now! Especially self service and auto-registering based on domain names turned out to be really nice features (for a business). In my homelab I just enjoy having a nice ui.
https://github.com/zitadel/zitadel
I came from Authentik which was nice too but nowhere as feature rich as zitadel.
Following since I’m new to Lemmy and not sure how to or even if I can save a post. I too am looking for something. I spun up authentik but was quickly overwhelmed with what to do after that, lol. I made it as far as logging in then got…lost no matter what tutorials I tried to follow.
You can star comments or posts to save them, it might be under the
⋮menu. You can view your saved posts in your profile.Maybe try this ? Looks to be focused on simplicity and ease of use.
At the moment I only use lldap. I’ll probably add Authelia at some point …
I use Authelia with lldap and it’s pretty straightforward to setup. Once Authelia is up and running, it’s quite nice managing users and groups through the lldap interface
