this post was submitted on 22 Jan 2024
41 points (97.7% liked)

Selfhosted

39980 readers
726 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello, everyone. I am planning to set up Single Sign-On (SSO). I wonder if I can use something like Red Hat SSO with two separate domains. I have one domain for Windows AD and one for Linux IDM. My idea is to use Red Hat SSO so that both domains will be able to access the same services. For example, I have one Nextcloud instance, and I would like users from both domains to use it with SSO.

you are viewing a single comment's thread
view the rest of the comments
[–] Lem453@lemmy.ca 19 points 9 months ago (4 children)

Highly recommend Authentik for SSO.

I run it on it's own sub domain and all my other apps on their own sub domains.

It has pretty much every login protocol you could want (oauth, saml, ldap) etc.

Currently using it for jellyfin, immich, linkwarden, freshrss, and seafile.

[–] Konraddo@lemmy.world 3 points 9 months ago (1 children)

Sorry for a noobie question. But when people say using SSO for internal apps, does it mean we only need to log in once and then the various apps won't need us logging in again? And then the browser can stay connected for however long we want it to be?

[–] coffee_chum@lemmy.ml 3 points 9 months ago

This is typically the case. Increasingly, self-hosted apps use integrated OIDC or OAuth but for those that don't there are various other methods of integration into the SSO provider you're using including forward auth and remote username. Authentik is nice in that it is also a forward-auth proxy and so you don't need to use an additional oauth proxy software like oauth2-proxy.

[–] coffee_chum@lemmy.ml 3 points 9 months ago

This is the way. I just hope they don't start gatekeeping essential features behind the "enterprise" license. Already they have announced push-based 2fa (like Duo) will be enterprise which is a bit of a bummer but it's honestly awesome software otherwise and beggars can't be choosers!

[–] PlexSheep@feddit.de 2 points 9 months ago (1 children)

Does it work for multiple domains (not Subdomains)? I'm currently using authelia, which can't do that, which sucks.

[–] Lem453@lemmy.ca 1 points 9 months ago (1 children)

I can't imagine why it wouldn't. The configuration just needs a URL, what domain they are actually on should be irrelevant.

[–] PlexSheep@feddit.de 1 points 9 months ago

For authelia, iirc it's a problem with the way cookies work, but also with how they set their system up structurally. I don't know the details anymore.

[–] Haha@lemmy.world 1 points 9 months ago (1 children)

It it useful to use authentik with vaultwarden? Or is it redundant?

[–] Lem453@lemmy.ca 1 points 9 months ago (2 children)

They don't really do the same thing. I use both. Authentik provides 1 password/account for all my self hosted apps. Along with other people that use my services. I create one account on authentik and suddenly they can access everything.

I then save that password in vaultwarden.

For what it's worth I don't use SSO for my vault warden master password, that is a separate password not saved anywhere

[–] Haha@lemmy.world 1 points 9 months ago (1 children)

Does it mean each time you host a new app you have to tie it to authentik? I will read aboot it later

[–] Lem453@lemmy.ca 2 points 9 months ago

Yes, when you look into a new self hosted app, you have to check if they offer some kind of SSO option. Authentik can pretty much do every protocol there is. Each all will have different instructions on how to set it up.

[–] Haha@lemmy.world 1 points 9 months ago

I see thank you :)