this post was submitted on 27 Jan 2024
18 points (100.0% liked)

Selfhosted

40246 readers
907 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm considering adding an SSO process in front of my self-hosted apps such as Nextcloud, Calibre-Web and Immich. The thing I'm thinking about, is do I need to make two accounts for each user I want to add? If I have a new user, do I need to make an account for both the SSO provider and the protected app such as Nextcloud? Or does Nextcloud (or some other app) automatically create a new account upon the first authentication with the SSO provider?

Also, which SSO provider do y'all recommend? I would like to have one with a web UI where I can manage the users :)

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 9 months ago* (last edited 9 months ago)

I use Authelia, and my users are backed by my LDAP server. I basically managed my users directly in LDAP through Apache Directory Studio. If you want something with built-in user management, I believe Keycloak might be a good place to start.

Also, you can use Nextcloud as an OIDC provider and let it be your SSO provider. For apps that don't support OIDC, you may be able to put them behind OAuth2Proxy and point that your Nextcloud.

It depends on the protected app. Some let you delegate to external auth and will create the account (e.g. Nextcloud) and others may expect some kind of HTTP header containing an identifier to associate with an existing local user (e.g Calibre Web). Most apps I've worked with that support OAuth2 usually handle creating the account in the app automatically - the app takes care of that, not the SSO provider.

You'd need to read the docs for the apps you want to have behind SSO to see how each works with external users.