June 28, 20251 yr Community Expert So I got the Authentik and Worker dockers configured, and I have successfully setup SSO for Immich docker app with Swag ngnx.However, when I try to follow the same methodology for Jellyfin using the jellyfin plug-in SSO-auth, I get request URI error from Authentik when trying to log in with openid.I also tried the jellyfin Ldap plug-in and I keep getting connection refused on Port 636 or 389 in the Jellyfin logs when testing within the plug-in setting. Also, it appears that the authentic docker does not have the host to contain a port mapping for 636 or 6636. When I try to add the host to container Port mapping in the docker, the container Port field is missing from the form.I prefer to use the SSO-auth plugin method (oicd), but I need help figuring out why I keep getting the request URI error. I do have the proper request URI added in the Authentik provider for Jellyfin...All my docker apps that will be handled by Authentik for SSO are reverse proxied with Swag and (ngnix).Any help or guidance would be greatly appreciated. Edited July 16, 2025Jul 16 by gurulee
July 16, 2025Jul 16 Author Community Expert I would like to share my progress and an update on this. I went back to the Jellyfin 'sso-auth' plugin instead of the LDAP plugin.Login with SSO from Jellyfin using Authentik now works!Next step is to enforce only SSO logins from Jellyfin by disabling local logins.My plan is to configure:Jellyfin SSO-Auth (completed)Hide the password login UIUse SWAG (NGINX) to redirect all login attempts to Authentik’s SSO endpoint.Stay tuned... Edited July 16, 2025Jul 16 by gurulee
July 16, 2025Jul 16 Author Community Expert Solution I was able to enforce login with SSO (Authentik) and disable Jellyfin manual login, and hide forgot password using this Jellyfin custom CSS code under Branding:a.raised.emby-button {padding: 0.9em 1em;color: inherit !important;}.disclaimerContainer {display: block;}/* Hide manual login form */.manualLoginForm {display: none !important;}/* Hide 'Forgot password' button */.btnForgotPassword {display: none !important;}====I did not need to use Authentik include or explicit location blocks in my Swag / NGNIX subdomain conf file. Edited July 16, 2025Jul 16 by gurulee
July 20, 2025Jul 20 Author Community Expert I also forced the Jellyfin login page to redirect to Authentik for authentication using Swag / NGINX with this in my jellyfin.subdomain.conf file: # --- Force SSO on login page --- location = /web/ { return 302 https://your-jellyfin-domain/sso/OID/start/authentik; }
August 10, 2025Aug 10 On 7/16/2025 at 11:45 AM, gurulee said:I would like to share my progress and an update on this. I went back to the Jellyfin 'sso-auth' plugin instead of the LDAP plugin.Login with SSO from Jellyfin using Authentik now works!Next step is to enforce only SSO logins from Jellyfin by disabling local logins.My plan is to configure:Jellyfin SSO-Auth (completed)Hide the password login UIUse SWAG (NGINX) to redirect all login attempts to Authentik’s SSO endpoint.Stay tuned...Hello. I am sorry for necroposting... How did you solve the URI error from Authentik when using the sso-auth plugin?
August 11, 2025Aug 11 Author Community Expert @Juancamiloso this is what works for me in Authentik:Redirect URIsstrict: https://jellyfin.mydomain.com/sso/OID/r/authentikstrict: https://jellyfin.mydomain.com/sso/OID/redirect/authentik Edited August 11, 2025Aug 11 by gurulee
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.