I’m using Authelia with LinuxServer because it was easy to configure (Setting Up Authelia With SWAG) and works pretty much out-of-the-box with their Docker images, which includes FreshRSS: linuxserver/freshrss - LinuxServer.io. You just need to uncomment a line in the Nginx config for the app’s subfolder or subdomain. Works with other apps too, you just need to serve them via the LinuxServer SWAG Nginx container.
Their implementation is pretty basic - it just uses Nginx
auth_request to perform a sub-request to perform the authorization, which verifies the Authelia cookie and redirects to the login page if it’s invalid. I’m not sure if Authelia supports SASL or similar protocols, but if you have a bunch of stuff running on one single server on one domain (so they can all share an auth cookie) then the approach taken by LinuxServer works quite well.
Yeah, ADFS works pretty well if you’re all-in on the Microsoft ecosystem.