From d0f678d00d0d9eaaed5efc3c24d12eba440471c4 Mon Sep 17 00:00:00 2001 From: Ic0n Date: Sun, 18 Aug 2024 17:58:29 +0200 Subject: [PATCH 1/5] Update providers.md sso guide for ZITADEL --- providers.md | 149 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 149 insertions(+) diff --git a/providers.md b/providers.md index 4957053..decd239 100644 --- a/providers.md +++ b/providers.md @@ -222,3 +222,152 @@ keycloak: SamlClientId: SamlCertificate: ``` +# SSO Login Guide for Jellyfin with ZITADEL + +## 1. Create a New Project in ZITADEL + +1. **Login to your ZITADEL instance.** +2. **Create a new project** and name it whatever you like. + +## 2. Configure the Project for Code Flow + + **Choose `CODE`** as the flow type. + +![image](https://github.com/user-attachments/assets/c1bb9b0e-d719-4435-b89f-f6aa48504369) + +### Redirect URIs +Add the following Redirect URIs: + +- `https://jellyfin.YOURSERVER.COM/sso/OID/r/zitadel` +- `https://jellyfin.YOURSERVER.COM/sso/OID/redirect/zitadel` + +### Post Logout URIs +Add the following Post Logout URI: + +- `https://jellyfin.YOURSERVER.COM` + + **Press `Continue` and `Create`.** + +## 3. Copy Credentials + +- **Copy your `Client Secret` and `Client ID` for later use.** + +## 4. Configure Roles in ZITADEL + +1. **Mark `Assert Roles on Authentication`.** +2. **Mark `Check authorization on Authentication` and press `Save`.** +3. **Go to the Roles section.** + +![image](https://github.com/user-attachments/assets/7c11750f-0892-4244-a7f9-343292ac5576) + +### Create Groups +Create the following three groups: + +- `jellyfin_user` +- `jellyfin_tv` +- `jellyfin_admin` + +![image](https://github.com/user-attachments/assets/3551a93b-58fa-492e-9cad-6fdaeb7f602d) + +. **Go to your Organization and Copy your Organization's Resource ID** from ZITADEL. + +![image](https://github.com/user-attachments/assets/f1ae6584-6307-405e-ad27-d137ad20586f) + +## 5. Set Up SSO in Jellyfin + +1. **Go to Jellyfin** and download/setup the SSO plugin. +2. **Add the following configuration**: + +OID Endpoint: +- `https://zitadel.YOURSERVER.COM/.well-known/openid-configuration` + +![image](https://github.com/user-attachments/assets/d18ae6d3-ff9c-42de-b2eb-25d14f225b0c)` + +OpenID Client ID: +- Add your `Client ID` from Zitadel + +OID Secret: +- Add your `Client Secret` from Zitadel + +### Example Role Mappings +Here are example role mappings to use in your configuration: +Change it to your organization: `{"jellyfin_tv":{"{ORGANIZATIONID":"{PRIMARYDOMAIN.COM}"}}` + +```json +{"jellyfin_user":{"265153045849972739":"{demo-vendor.com}"}} +{"jellyfin_tv":{"265153045849972739":"{demo-vendor.com}"}} +{"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}} + ``` + +### Admin Roles: +Change it to your organization: `{"jellyfin_admin":{"{ORGANIZATIONID":"{PRIMARYDOMAIN.COM}"}}` + +```json +{"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}} + ``` +![image](https://github.com/user-attachments/assets/bf0d51f8-1a53-4f60-9e6a-e6a336808c64) + +### Live TV Roles: + +```json +{"jellyfin_tv":{"265153045849972739":"{demo-vendor.com}"}} +{"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}} + ``` +### Live TV Management Roles: +Change it to your organization: `{"jellyfin_tv":{"{ORGANIZATIONID":"{PRIMARYDOMAIN.COM}"}}` +```json +{"jellyfin_tv":{"265153045849972739":"{demo-vendor.com}"}} +{"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}} + ``` +### Scopes and Claims +Add the following scopes and claims: + +![image](https://github.com/user-attachments/assets/7a677b29-9f8f-44fb-aeb8-65ff1f0341d3) + +- **Role Claims**: + ``` + urn:zitadel:iam:org:project:{projectResourceId}:roles + ``` +- **Scopes**: + ``` +openid +email +profile +urn:zitadel:iam:org:project:id:zitadel:aud +urn:zitadel:iam:org:project:{projectResourceId}:roles + ``` + +- **Set default Provider**: + + ``` +Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider + ``` +- **Set default username claim**: + +``` +preferred_username + ``` + +- **Scheme Override**: +I'm configuring mine to use HTTPS, but your setup might be different. +``` + https +``` + + **Save** the configuration**: + +## 6. Add Users in ZITADEL + +- **Add users** to the project to authenticate and ad them to a role. +### I've encountered issues when assigning two roles to a single user in Zitadel. Jellyfin will responds with a 'Permission Denied' error. + +![image](https://github.com/user-attachments/assets/8b5fa68a-d337-4c15-a55b-0bfce881d2ee) + + +## 7. Test the SSO Setup + +1. **Go to**: +``` +https://jellyfin.YOURSERVER.com/sso/OID/start/zitadel +``` +2. **Try to login** with SSO to verify the setup. From 7dfd6c6e20d0e35d5fc6b2d19d64ba36a06f1d34 Mon Sep 17 00:00:00 2001 From: Ic0n Date: Sun, 18 Aug 2024 18:01:34 +0200 Subject: [PATCH 2/5] Update providers.md --- providers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers.md b/providers.md index decd239..3445350 100644 --- a/providers.md +++ b/providers.md @@ -222,7 +222,7 @@ keycloak: SamlClientId: SamlCertificate: ``` -# SSO Login Guide for Jellyfin with ZITADEL +# ZITADEL OIDC ## 1. Create a New Project in ZITADEL From 89330d9e43fbe7bccb4b1f9995bed372ba76ca46 Mon Sep 17 00:00:00 2001 From: Ic0n Date: Sun, 18 Aug 2024 18:08:40 +0200 Subject: [PATCH 3/5] Update providers.md Updated links --- providers.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/providers.md b/providers.md index 3445350..1956981 100644 --- a/providers.md +++ b/providers.md @@ -12,7 +12,8 @@ This section is broken into providers that support Role-Based Access Control (RB - ✅ [authentik](#authentik) - [✅ Keycloak](#keycloak-oidc) - Both [OIDC](#keycloak-oidc) & [SAML](#keycloak-saml) - +- ✅ [Zitadel](#zitadel-oidc) + ### No RBAC Support - ✅ Google OIDC @@ -222,7 +223,7 @@ keycloak: SamlClientId: SamlCertificate: ``` -# ZITADEL OIDC +# Zitadel OIDC ## 1. Create a New Project in ZITADEL From bc387bca4546c6af5935dfb36205d7b996124f14 Mon Sep 17 00:00:00 2001 From: Ic0n Date: Mon, 19 Aug 2024 22:34:08 +0200 Subject: [PATCH 4/5] Update providers.md Formatting changes --- providers.md | 155 ++++++++++++++++++++++----------------------------- 1 file changed, 67 insertions(+), 88 deletions(-) diff --git a/providers.md b/providers.md index 1956981..9b99c2a 100644 --- a/providers.md +++ b/providers.md @@ -12,7 +12,7 @@ This section is broken into providers that support Role-Based Access Control (RB - ✅ [authentik](#authentik) - [✅ Keycloak](#keycloak-oidc) - Both [OIDC](#keycloak-oidc) & [SAML](#keycloak-saml) -- ✅ [Zitadel](#zitadel-oidc) +- ✅ [Zitadel](#zitadel-oid) ### No RBAC Support @@ -223,152 +223,131 @@ keycloak: SamlClientId: SamlCertificate: ``` -# Zitadel OIDC +--- +# Zitadel OID -## 1. Create a New Project in ZITADEL +### Create a New Project in ZITADEL -1. **Login to your ZITADEL instance.** -2. **Create a new project** and name it whatever you like. +- Log in to your ZITADEL instance. +- Create a new project and name it as desired. -## 2. Configure the Project for Code Flow +### Configure the Project for Authorization Code Flow - **Choose `CODE`** as the flow type. +- Select `CODE` as the flow type. -![image](https://github.com/user-attachments/assets/c1bb9b0e-d719-4435-b89f-f6aa48504369) + ![Authorization Code Flow Configuration](https://github.com/user-attachments/assets/c1bb9b0e-d719-4435-b89f-f6aa48504369) ### Redirect URIs -Add the following Redirect URIs: - `https://jellyfin.YOURSERVER.COM/sso/OID/r/zitadel` - `https://jellyfin.YOURSERVER.COM/sso/OID/redirect/zitadel` -### Post Logout URIs -Add the following Post Logout URI: +### Post Logout URI - `https://jellyfin.YOURSERVER.COM` - **Press `Continue` and `Create`.** +- Click `Continue` and `Create`. -## 3. Copy Credentials +### Copy Client Credentials -- **Copy your `Client Secret` and `Client ID` for later use.** +- Copy your `Client Secret` and `Client ID` for later use. -## 4. Configure Roles in ZITADEL +### Configure Roles in ZITADEL -1. **Mark `Assert Roles on Authentication`.** -2. **Mark `Check authorization on Authentication` and press `Save`.** -3. **Go to the Roles section.** +- Enable `Assert Roles on Authentication` and `Check authorization on Authentication`, then click `Save`. -![image](https://github.com/user-attachments/assets/7c11750f-0892-4244-a7f9-343292ac5576) +- Go to the Roles section. + + ![Role Configuration](https://github.com/user-attachments/assets/7c11750f-0892-4244-a7f9-343292ac5576) ### Create Groups -Create the following three groups: - `jellyfin_user` - `jellyfin_tv` - `jellyfin_admin` + + ![Group Creation](https://github.com/user-attachments/assets/3551a93b-58fa-492e-9cad-6fdaeb7f602d) -![image](https://github.com/user-attachments/assets/3551a93b-58fa-492e-9cad-6fdaeb7f602d) - -. **Go to your Organization and Copy your Organization's Resource ID** from ZITADEL. +- Copy your Organization's Resource ID from the Organization settings in ZITADEL. -![image](https://github.com/user-attachments/assets/f1ae6584-6307-405e-ad27-d137ad20586f) + ![Organization Resource ID](https://github.com/user-attachments/assets/f1ae6584-6307-405e-ad27-d137ad20586f) -## 5. Set Up SSO in Jellyfin +### Set Up SSO in Jellyfin -1. **Go to Jellyfin** and download/setup the SSO plugin. -2. **Add the following configuration**: +- Install and configure the SSO plugin in Jellyfin. -OID Endpoint: -- `https://zitadel.YOURSERVER.COM/.well-known/openid-configuration` +### Configure the following settings: + + ![OID Configuration](https://github.com/user-attachments/assets/d18ae6d3-ff9c-42de-b2eb-25d14f225b0c) -![image](https://github.com/user-attachments/assets/d18ae6d3-ff9c-42de-b2eb-25d14f225b0c)` +- **OID Endpoint:** `https://zitadel.YOURSERVER.COM/.well-known/openid-configuration` -OpenID Client ID: -- Add your `Client ID` from Zitadel +- **OpenID Client ID:** Enter your `Client ID` from ZITADEL. -OID Secret: -- Add your `Client Secret` from Zitadel +- **OID Secret:** Enter your `Client Secret` from ZITADEL. ### Example Role Mappings -Here are example role mappings to use in your configuration: -Change it to your organization: `{"jellyfin_tv":{"{ORGANIZATIONID":"{PRIMARYDOMAIN.COM}"}}` + +Replace `{ORGANIZATIONID}` and `{PRIMARYDOMAIN.COM}` with your organization's details. ```json -{"jellyfin_user":{"265153045849972739":"{demo-vendor.com}"}} {"jellyfin_tv":{"265153045849972739":"{demo-vendor.com}"}} {"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}} - ``` - -### Admin Roles: -Change it to your organization: `{"jellyfin_admin":{"{ORGANIZATIONID":"{PRIMARYDOMAIN.COM}"}}` +``` + +### Admin Roles ```json +{"jellyfin_tv":{"265153045849972739":"{demo-vendor.com}"}} {"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}} - ``` -![image](https://github.com/user-attachments/assets/bf0d51f8-1a53-4f60-9e6a-e6a336808c64) +``` -### Live TV Roles: +![Admin Roles Configuration](https://github.com/user-attachments/assets/bf0d51f8-1a53-4f60-9e6a-e6a336808c64) + +### Live TV Roles ```json {"jellyfin_tv":{"265153045849972739":"{demo-vendor.com}"}} {"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}} - ``` -### Live TV Management Roles: -Change it to your organization: `{"jellyfin_tv":{"{ORGANIZATIONID":"{PRIMARYDOMAIN.COM}"}}` +``` + +### Live TV Management Roles + ```json {"jellyfin_tv":{"265153045849972739":"{demo-vendor.com}"}} {"jellyfin_admin":{"265153045849972739":"{demo-vendor.com}"}} - ``` -### Scopes and Claims -Add the following scopes and claims: +``` -![image](https://github.com/user-attachments/assets/7a677b29-9f8f-44fb-aeb8-65ff1f0341d3) +### Scopes and Claims -- **Role Claims**: - ``` - urn:zitadel:iam:org:project:{projectResourceId}:roles - ``` -- **Scopes**: - ``` -openid -email -profile -urn:zitadel:iam:org:project:id:zitadel:aud -urn:zitadel:iam:org:project:{projectResourceId}:roles - ``` +Add the following scopes and claims: -- **Set default Provider**: +![Scopes and Claims](https://github.com/user-attachments/assets/7a677b29-9f8f-44fb-aeb8-65ff1f0341d3) - ``` -Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider - ``` -- **Set default username claim**: +- **Role Claims:** `urn:zitadel:iam:org:project:{projectResourceId}:roles` +- **Scopes:** + - `openid` + - `email` + - `profile` + - `urn:zitadel:iam:org:project:id:zitadel:aud` + - `urn:zitadel:iam:org:project:{projectResourceId}:roles` +- **Set Default Provider:** `Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider` +- **Set Default Username Claim:** `preferred_username` +- **Scheme Override:** `https` -``` -preferred_username - ``` - -- **Scheme Override**: -I'm configuring mine to use HTTPS, but your setup might be different. -``` - https -``` +- Save the configuration. - **Save** the configuration**: +### Add Users in ZITADEL -## 6. Add Users in ZITADEL +- Add users to the project in ZITADEL and assign them to the appropriate role. -- **Add users** to the project to authenticate and ad them to a role. -### I've encountered issues when assigning two roles to a single user in Zitadel. Jellyfin will responds with a 'Permission Denied' error. +> **Note:** Assigning multiple roles to a single user may cause issues in Jellyfin, resulting in a 'Permission Denied' error. -![image](https://github.com/user-attachments/assets/8b5fa68a-d337-4c15-a55b-0bfce881d2ee) +![Permission Denied Error](https://github.com/user-attachments/assets/8b5fa68a-d337-4c15-a55b-0bfce881d2ee) +### Test the SSO Setup -## 7. Test the SSO Setup +- Navigate to `https://jellyfin.YOURSERVER.COM/sso/OID/start/zitadel` +- Attempt to log in using SSO to verify the setup. -1. **Go to**: -``` -https://jellyfin.YOURSERVER.com/sso/OID/start/zitadel -``` -2. **Try to login** with SSO to verify the setup. +--- From 601d5b68d05f2bb1d190c5f90351749668fb8c33 Mon Sep 17 00:00:00 2001 From: Ic0n Date: Mon, 19 Aug 2024 22:36:50 +0200 Subject: [PATCH 5/5] Update providers.md --- providers.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/providers.md b/providers.md index 9b99c2a..5a1edc7 100644 --- a/providers.md +++ b/providers.md @@ -12,7 +12,7 @@ This section is broken into providers that support Role-Based Access Control (RB - ✅ [authentik](#authentik) - [✅ Keycloak](#keycloak-oidc) - Both [OIDC](#keycloak-oidc) & [SAML](#keycloak-saml) -- ✅ [Zitadel](#zitadel-oid) +- ✅ [Zitadel](#zitadel-oidc) ### No RBAC Support @@ -224,7 +224,7 @@ keycloak: SamlCertificate: ``` --- -# Zitadel OID +# Zitadel OIDC ### Create a New Project in ZITADEL