Anyone had any success with current open-source and self-hosted Single Sign-On Solutions?
I believe it’d be nice to figure out solution for SSO instead of offloading those requirements to Google Account/Auth0/etc. Also internally it’d help with maintaining those apps as then I don’t need an unique ID and password combo for LibreNMS/Observium, FreshRSS, phpIPAM, Gitlab, etc and rather have SSO handle the authentication requirements.
I have actually been thinking about this in the last few days. I’ve been using MS Azure AD + my own onprem AD deployment for a long time, but yesterday I set up Authentik (https://goauthentik.io) and it’s been great… super simple and the dev responds very quickly.
I’m using Authelia with LinuxServer because it was easy to configure (Setting Up Authelia With SWAG) and works pretty much out-of-the-box with their Docker images, which includes FreshRSS: linuxserver/freshrss - LinuxServer.io. You just need to uncomment a line in the Nginx config for the app’s subfolder or subdomain. Works with other apps too, you just need to serve them via the LinuxServer SWAG Nginx container.
Their implementation is pretty basic - it just uses Nginx
auth_request to perform a sub-request to perform the authorization, which verifies the Authelia cookie and redirects to the login page if it’s invalid. I’m not sure if Authelia supports SASL or similar protocols, but if you have a bunch of stuff running on one single server on one domain (so they can all share an auth cookie) then the approach taken by LinuxServer works quite well.
Yeah, ADFS works pretty well if you’re all-in on the Microsoft ecosystem.
We use GitHub - pomerium/pomerium: Pomerium is an identity-aware access proxy.
It took a little bit of work to get things really working but the documentation has been improved as of late. It’s paired with Traefik as the proxy and Pomerium fits in as middleware for forward auth.
You do need to have an Identity Provider but they have a pretty good range of providers that can be used.