# Jellyfin SSO-Auth Plugin Configuration for Authentik OIDC **Research Date:** 2026-01-20 **Plugin:** jellyfin-plugin-sso by 9p4 **Target IDP:** Authentik OIDC **Documentation Version:** Based on plugin v3.5+ and Jellyfin 10.9+ --- ## Executive Summary The Jellyfin SSO-Auth plugin enables OpenID Connect (OIDC) authentication with Authentik, allowing users to authenticate via SSO. This document covers installation, claim mapping configuration, and critical mobile app authentication workflows. **Key Findings:** - Plugin supports OIDC providers including Authentik, Authelia, Keycloak, and others - Claim mapping is essential for role-based authorization - Mobile apps have SSO limitations requiring alternative authentication methods - Quick Connect and API tokens are recommended for mobile app access --- ## 1. Plugin Installation Process ### 1.1 Installation via Web GUI 1. **Access Jellyfin Administration Dashboard** - Navigate to your Jellyfin instance (e.g., `https://jellyfin.example.com`) - Log in with administrator credentials - Go to **Dashboard** → **Plugins** 2. **Add Plugin Repository** - Click on the **Repositories** tab - Click the **+** button to add a new repository - Enter the following details: - **Repository Name:** `Jellyfin SSO` - **Repository URL:** `https://raw.githubusercontent.com/9p4/jellyfin-plugin-sso/manifest-release/manifest.json` - Click **Save** - Confirm the repository installation 3. **Install SSO-Auth Plugin** - Go to the **Catalog** tab - Find **SSO Authentication** in the **Authentication** section - Click **Install** - Confirm the plugin installation - **Restart Jellyfin** for the plugin to activate ### 1.2 Configuration File Location After installation, the plugin configuration is stored at: ``` /config/data/plugins/configurations/SSO-Auth.xml ``` --- ## 2. Authentik OIDC Provider Configuration ### 2.1 Authentik Setup In Authentik, create an OIDC provider with the following settings: **Provider Settings:** - **Name:** `Jellyfin` - **Client Type:** `Confidential` - **Client ID:** `jellyfin` (or custom value) - **Client Secret:** Generate secure secret - **Redirect URIs:** ``` https://jellyfin.example.com/sso/OID/redirect/authentik ``` - **Token Endpoint Auth Method:** `client_secret_post` (CRITICAL for compatibility) - **Scopes:** `openid`, `profile`, `email`, `groups` **Important Note:** The plugin uses `client_secret_post` authentication method. Ensure Authentik is configured to accept this method. Mismatch causes authentication failures: ``` Client authentication failed... The registered client with id 'jellyfin' is configured to only support 'token_endpoint_auth_method' method 'client_secret_basic'. ``` ### 2.2 Authentik Group Configuration Create groups for role-based access: - **jellyfin-admins** - Administrative access - **jellyfin-users** - Standard user access Assign users to appropriate groups in Authentik. ### 2.3 Authentik Scope and Property Mappings Ensure the following claim mappings are configured: - **preferred_username** - Username claim - **email** - Email address - **groups** - User group memberships (CRITICAL for role authorization) --- ## 3. Jellyfin SSO Plugin Configuration ### 3.1 Configuration via Web GUI 1. **Navigate to Plugin Settings** - Dashboard → **Plugins** → **SSO-Auth** 2. **Add OIDC Provider** - Click **Add Provider** - Configure the following settings: **Basic Configuration:** ``` Name of OID Provider: authentik OID Endpoint: https://auth.example.com OpenID Client ID: jellyfin OID Secret: ``` **Authorization Settings:** ``` Enabled: ☑ (checked) Enable Authorization by Plugin: ☑ (checked) Enable All Folders: ☑ (checked) ``` **Role Mapping:** ``` Roles: jellyfin-users, jellyfin-admins Admin Roles: jellyfin-admins Role Claim: groups ``` **Advanced Settings:** ``` Request Additional Scopes: groups Default Username Claim: preferred_username New Path (recommended): ☑ (checked) Disable HTTPS: ☐ (unchecked) Do Not Validate Endpoints: ☐ (unchecked) Do Not Validate Issuer Name: ☐ (unchecked) ``` 3. **Save Configuration** - Click **Save** - The plugin is now active ### 3.2 Configuration via XML File Alternatively, configure via the XML file at `/config/data/plugins/configurations/SSO-Auth.xml`: ```xml authentik https://auth.example.com jellyfin your-secure-secret true true true jellyfin-admins jellyfin-users jellyfin-admins false false false false groups groups preferred_username true false false false false ``` --- ## 4. Claim Mapping Configuration ### 4.1 Understanding Role Claims The plugin uses the `RoleClaim` setting to determine which OIDC claim contains user roles. Common patterns: **Standard Groups Claim:** ```xml groups ``` **Nested Claims (e.g., Keycloak):** ```xml realm_access.roles ``` **Complex Nested Claims:** ```xml resource_access.jellyfin.roles ``` ### 4.2 Common Claim Mapping Issues **Issue: Incorrect role claims warning** ``` OpenID user "username" has one or more incorrect role claims: [{"Type": "groups", "Value": "jellyfin-admin"}]. Expected any one of: ["jellyfin-admins"] ``` **Solution:** Ensure exact match between: 1. Group names in Authentik 2. Role values in plugin configuration (``, ``) 3. Case sensitivity matters ### 4.3 Username Claim Mapping The plugin supports multiple username claim sources: ```xml preferred_username ``` **Supported Claims:** - `preferred_username` - Most common - `email` - Email address as username - `sub` - OIDC subject identifier - `name` - Display name ### 4.4 Additional Scopes Request additional claims beyond the default `openid` scope: ```xml groups email profile ``` --- ## 5. Mobile App Authentication Workflow ### 5.1 The Mobile App SSO Problem **Critical Finding:** Jellyfin mobile apps (Android/iOS) have limited SSO support. When using SSO login on mobile: **Observed Behavior:** - User clicks "Sign in with SSO" - Browser-based authentication completes successfully - Redirect returns to app - App hangs on "Logging in..." indefinitely - Session is not established **Root Cause:** - Mobile apps expect traditional username/password authentication - Web-based OIDC flow completes but token is not properly transferred to app - Issue documented in plugin Issue #189 (Jellyfin 10.9+) ### 5.2 Recommended Mobile App Solutions #### Option 1: Quick Connect (Recommended) Quick Connect allows mobile apps to authenticate without entering credentials: **How It Works:** 1. User opens Jellyfin mobile app 2. App displays a 6-digit code 3. User logs into web interface (via SSO) 4. User enters the 6-digit code in web dashboard 5. Mobile app is authorized automatically **Configuration:** - Enable Quick Connect in Jellyfin Dashboard - Dashboard → **Networking** → **Quick Connect** - Check "Enable Quick Connect" **Usage:** 1. Mobile app: **Settings** → **Add Server** → **Quick Connect** 2. Note the 6-digit code 3. Web browser: Login via SSO → **Dashboard** → **Quick Connect** 4. Enter code and authorize 5. Mobile app connects automatically #### Option 2: API Token Authentication Generate an API token for mobile app access: **Steps:** 1. Login to Jellyfin web interface via SSO 2. Navigate to **Dashboard** → **API Keys** 3. Click **+** to create new API key 4. Name: "Mobile App - [Device Name]" 5. Copy the generated API token 6. In mobile app: Use token instead of password **Security Considerations:** - Tokens should be device-specific - Revoke tokens for lost/stolen devices - Rotate tokens periodically - Monitor active sessions in Dashboard #### Option 3: Fallback Local Authentication Configure the plugin to allow fallback to local Jellyfin authentication: ```xml Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider ``` **Workflow:** - Web users: Use SSO - Mobile users: Use Jellyfin username/password - Maintain separate password for mobile access - Less secure but functional ### 5.3 Mobile App Compatibility Matrix | App | SSO Support | Quick Connect | API Token | Notes | |-----|-------------|---------------|-----------|-------| | Jellyfin Android | Partial | ✓ | ✓ | SSO hangs on "Logging in" | | Jellyfin iOS | Partial | ✓ | ✓ | Similar issues as Android | | Jellyfin Web | ✓ | N/A | ✓ | Full SSO support | | Finamp (Music) | ✗ | ✓ | ✓ | No SSO, Quick Connect recommended | | Jellyfin Kodi | ✗ | ✓ | ✓ | Token authentication works | --- ## 6. Testing and Troubleshooting ### 6.1 Testing Web Login **Login URL:** ``` https://jellyfin.example.com/sso/OID/start/authentik ``` **Expected Flow:** 1. User navigates to URL 2. Redirects to Authentik login page 3. User authenticates with Authentik 4. Redirects back to Jellyfin 5. User is logged in with appropriate role ### 6.2 Adding SSO Button to Login Page Create a custom login button on the Jellyfin login page: 1. Navigate to Dashboard → **General** → **Custom CSS** 2. Add the following CSS to create an SSO button: ```css /* SSO Login Button */ .raised.emby-button { padding: 0.9em 1em; color: inherit !important; } .disclaimerContainer { display: block; } ``` 3. Use browser developer tools or custom HTML injection to add button (plugin documentation has detailed instructions) ### 6.3 Common Errors and Solutions #### Error: "Client authentication failed" ``` The registered client with id 'jellyfin' is configured to only support 'token_endpoint_auth_method' method 'client_secret_basic'. ``` **Solution:** Change Authentik provider settings: - Edit OIDC Provider in Authentik - Set **Client Authentication Method** to `client_secret_post` - Save and restart Jellyfin #### Error: "Incorrect role claims" ``` OpenID user "user123" has one or more incorrect role claims: [{"Type": "groups", "Value": "jellyfin-user"}]. Expected any one of: ["jellyfin-users"] ``` **Solution:** Check exact spelling and case: - Authentik groups must match exactly - Plugin `` must match exactly - Claim name in `` must match Authentik scope mapping #### Error: "Error processing request" ``` [ERR] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request. URL "GET" "/sso/OID/start/authentik" ``` **Common Causes:** 1. **DNS Resolution:** Jellyfin container cannot resolve Authentik hostname 2. **Network Connectivity:** Firewall blocking connection 3. **Certificate Issues:** SSL/TLS validation failing **Solutions:** - Verify DNS: `docker exec jellyfin ping auth.example.com` - Check network connectivity - Set `true` for testing (not production) ### 6.4 Debugging with Logs Enable verbose logging in Jellyfin: 1. Dashboard → **Logs** 2. Look for `Jellyfin.Plugin.SSO_Auth` entries 3. Check for claim mismatches, authentication failures **Useful Log Patterns:** ``` [INF] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized [WRN] OpenID user "username" has one or more incorrect role claims [ERR] Error processing request ``` --- ## 7. Security Best Practices ### 7.1 HTTPS Configuration **Always use HTTPS in production:** - Configure reverse proxy (Traefik, Nginx, Caddy) - Obtain valid SSL/TLS certificates - Set `false` ### 7.2 Client Secret Security **Protect the client secret:** - Store securely in configuration files - Use environment variables or secrets management - Never commit to version control - Rotate periodically ### 7.3 Endpoint Validation **Enable validation in production:** ```xml false false ``` **Disable only for testing/debugging** ### 7.4 Role-Based Access Control **Implement least privilege:** - Separate admin and user roles - Use folder permissions for content restriction - Enable `true` - Audit user access regularly ### 7.5 API Token Management **For mobile apps using tokens:** - Generate device-specific tokens - Use descriptive names: "iPhone - John's Device" - Revoke tokens for lost devices - Set token expiration if supported - Monitor active sessions --- ## 8. Advanced Configuration Options ### 8.1 Folder-Based Role Mapping Restrict access to specific libraries based on roles: ```xml true kids-content Kids Movies Kids TV Shows ``` ### 8.2 Canonical User Links Link SSO users to existing Jellyfin accounts: ```xml sso-username existing-jellyfin-user-guid ``` ### 8.3 Live TV Permissions Control Live TV access via roles: ```xml true true livetv-users true jellyfin-admins ``` ### 8.4 Port Override Override the default port for callback URLs: ```xml 8096 ``` Useful when Jellyfin runs behind a reverse proxy on a non-standard port. --- ## 9. Integration Testing Checklist - [ ] Plugin installed and Jellyfin restarted - [ ] Authentik OIDC provider configured with correct redirect URI - [ ] Client authentication method set to `client_secret_post` - [ ] Groups scope enabled in Authentik - [ ] Test users assigned to jellyfin-users or jellyfin-admins groups - [ ] Plugin configured with correct endpoint, client ID, and secret - [ ] Role claim mapping matches Authentik group claim - [ ] Web login successful via `/sso/OID/start/authentik` - [ ] User receives correct permissions (admin vs. user) - [ ] Quick Connect enabled for mobile apps - [ ] API tokens generated for mobile testing - [ ] Mobile app authentication tested - [ ] HTTPS enabled in production - [ ] Endpoint validation enabled - [ ] Logs reviewed for errors --- ## 10. References and Resources **Official Documentation:** - Jellyfin SSO Plugin Repository: https://github.com/9p4/jellyfin-plugin-sso - Authentik Jellyfin Integration: https://docs.goauthentik.io/integrations/services/jellyfin/ - Jellyfin Official Documentation: https://jellyfin.org/docs/ **Community Resources:** - Plugin Issue Tracker: https://github.com/9p4/jellyfin-plugin-sso/issues - Jellyfin Forum: https://forum.jellyfin.org/ - Authentik Forum: https://github.com/goauthentik/authentik/discussions **Key Issues Referenced:** - Mobile App SSO Issue #189: https://github.com/9p4/jellyfin-plugin-sso/issues/189 - Authelia Configuration Discussion: https://www.authelia.com/integration/openid-connect/clients/jellyfin/ - Quick Connect Feature Request: https://support.symfonium.app/t/quick-connect-for-jellyfin/6428 --- ## 11. Conclusion The Jellyfin SSO-Auth plugin provides robust OIDC integration with Authentik for web-based authentication. Key takeaways: 1. **Web authentication works well** when properly configured with correct claim mappings 2. **Mobile app support is limited** - Quick Connect or API tokens are required for mobile access 3. **Role-based authorization** requires exact matching between Authentik groups and plugin configuration 4. **Security configuration** is critical - always use HTTPS and validate endpoints in production 5. **Troubleshooting** relies heavily on log analysis and understanding OIDC claim flows **Recommended Deployment Strategy:** - Primary users: SSO via web interface - Mobile apps: Quick Connect for initial setup, API tokens for ongoing access - Administrators: SSO + 2FA in Authentik for enhanced security - Regular audits of active sessions and API tokens This configuration provides a secure, user-friendly authentication experience while accommodating the limitations of mobile client applications. --- **Document Version:** 1.0 **Last Updated:** 2026-01-20 **Author:** Research Task RESEARCH-004 **Status:** Complete