Selfhosted

44584 readers

1746 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

ruud@lemmy.world

CannaVet@lemmy.world

Loki@lemmy.world

HybridSarcasm@lemmy.world

devve@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Self-hosted SSO (midwest.social)

submitted 1 day ago by sxan@midwest.social to c/selfhosted@lemmy.world

44 comments fedilink hide all child comments

What are you folks using for self-hosted single sign-on?

I have my little LDAP server (lldap is fan-fucking-tastic -- far easier to work with than OpenLDAP, which gave me nothing but heartburn). Some applications can be configured to work with it directly; several don't have LDAP account support. And, ultimately, it'd be nice to have SSO - having the same password everywhere if great, but having to sign in only once (per day or week, or whatever) would be even nicer.

There are several self-hosted Auth* projects; which is the simplest and easiest? I'd really just like a basic start-it-up, point it at my LDAP server, and go. Fine grained ACLs and RBAC support is nice and all, but simplicity is trump in my case. Configuring these systems is, IME, a complex process, with no small numbers of dials to turn.

A half dozen users, and probably only two groups: admin, and everyone else. I don't need fancy. OSS, of course. Is there any of these projects that fit that bill? It would seem to be a common use case for self-hosters, who don't need all the bells and whistles of enterprise-grade solutions.

you are viewing a single comment's thread
view the rest of the comments

[–] keyez@lemmy.world 9 points 21 hours ago (2 children)

I used to run key cloak backed by LDAP. Few months ago moved to Authelia and after many hours of tinkering and setting up sites I haven't had to touch it except to add a new URL or user.

I slightly disagree with the other commenter I didn't find it easy or straightforward but once I finally found what worked for my setup its been great.

Imagine Authelia is the caddy of SSO. Powerful, intimidating but very efficient. Also all configs are in like 3 files and things aren't going to change without FS access which only I the admin have.

[–] scrubbles@poptalk.scrubbles.tech 2 points 19 hours ago (2 children)

I've tried and failed a couple of times, would you mind sharing (or dming) your example config? Maybe I'm just a been with sso and can't figure it out

[–] keyez@lemmy.world 1 points 2 hours ago

Heres what I'm running:

authentication_backend:
  file:
    path: '/config/users_database.yml'
    watch: false
    search:
      email: false
      case_insensitive: false
    password:
      algorithm: 'sha2crypt'

access_control:
  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
  ## resource if there is no policy to be applied to the user.
  default_policy: 'deny'

  networks:
    - name: 'internal'
      networks:
        # - '10.10.0.0/16'
        - '192.168.1.0/24'
    - name: 'VPN'
      networks: '10.0.1.0/24'

  rules:
    ## Rules applied to everyone
    - domain: '*.mydomain.com'
      policy: 'one_factor'

session:
  ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
  ## Secret can also be set using a secret: https://www.authelia.com/c/secrets
  secret: 'insecure_session_secret'

  ## Cookies configures the list of allowed cookie domains for sessions to be created on.
  ## Undefined values will default to the values below.
  cookies:
  #   -
      ## The name of the session cookie.
    - name: 'authelia_session'

      ## The domain to protect.
      ## Note: the Authelia portal must also be in that domain.
      domain: 'mydomain.com'

      ## Required. The fully qualified URI of the portal to redirect users to on proxies that support redirections.
      ## Rules:
      ##   - MUST use the secure scheme 'https://'
      ##   - The above 'domain' option MUST either:
      ##      - Match the host portion of this URI.
      ##      - Match the suffix of the host portion when prefixed with '.'.
      authelia_url: 'https://auth.mydomain.com/'
storage:
  postgres:
    ....

identity_providers:
  oidc:
    ## Cross-Origin Resource Sharing (CORS) settings.
    cors:
      ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
      endpoints:
         - 'authorization'
         - 'token'
         - 'revocation'
         - 'introspection'
        #  - 'pushed-authorization-request'
        #  - 'userinfo'

      ## List of allowed origins.
      ## Any origin with https is permitted unless this option is configured or the
      ## allowed_origins_from_client_redirect_uris option is enabled.
      allowed_origins:
        - 'https://mydomain.com/'
        - 'https://grafana.mydomain.com/'
        - 'https://wiki.mydomain.com/'
        - 'https://foodz.mydomain.com/'

      ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
      ## provided they have the scheme http or https and do not have the hostname of localhost.
      allowed_origins_from_client_redirect_uris: true
    ## Clients is a list of known clients and their configuration.
    clients:
      - client_id: 'grafana'
        client_name: 'Grafana'
        client_secret: 'XXXXXX'
        public: false
        consent_mode: 'pre-configured'
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://grafana.mydomain.com/login/generic_oauth'
        scopes:
          - 'openid'
          - 'profile'
          - 'groups'
          - 'email'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'
      - client_id: 'wiki'
        client_name: 'Wiki'
        client_secret: 'XXXX'
        consent_mode: 'pre-configured'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://wiki.mydomain.com/oidc/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'groups'
          - 'email'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'
      ....

Then my users_database.yml looks like:

users:
  authelia:
    disabled: false
    displayname: "Test User"
    password: ""
    email: authelia@authelia.com
    groups:
      - admins
      - dev
  user001:
    disabled: false
    displayname: 'User 001'
    password: "$6$rounds=50000$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    email: test@gmail.com
    groups:
      - admins
      - users

[–] keyez@lemmy.world 2 points 18 hours ago (1 children)

Certainly, I'll post it tomorrow

[–] scrubbles@poptalk.scrubbles.tech 1 points 14 hours ago

Thank you!

[–] sxan@midwest.social 1 points 18 hours ago

Caddy is anything but intimidating! If Authelia is anything like Caddy in ease of use, sign me up!