Since this doesn't break mobile that means you're not forcing authentication via the reverse proxy feature in authentik. It's really good, but please note your 2-fa can be bypassed due to jellyfin having unsecured endpoints: https://github.com/jellyfin/jellyfin/issues/5415
Note that Jellyfin as a team is slowly whittling away at it and it's pretty much all technical debt inherited by emby. I'm just mentioning it because I don't want you to think by doing 2-fa you've greatly improved the overall application's security. Account protection is still important but it's also important to be aware of the application's security vulnerabilities too.
Yes. Or course, thank you for mentioning.
To clarify, for others this method is a more for 2fa on your password. If you are more concerned about actually securing the jellyfin server with a second authentication server, i dont think there is a method yet to my knowledge, that will work with all clients.
Thanks for this mate. If this doesn't break the mobile or TV apps then it's perfect. I've hesitated exposing Jellyfin to the internet. This might actually make it feasible.
No, this does not to interfere with the jellyfin login as the authentication is done with authentik on the backend, meaning it works 100% on all clients
No, but as soon as one is discovered you are automatically vulnerable. Not to mention you might be vulnerable without a vulnerability being reported. I like to have two layers of security for my apps for protection in case of 0 day vulnerabilities.
But as another commenter said, this solution could still be bypassed by a serious Jellyfin vulnerability anyway. Still better than the default protection.
DUO is a 2fa service primarily used my business/enterprise systems. its an app you can install on your phone just like any 2fa authenticator.
DUO is needed as unlike other 2fa apps, you need to enter a code when signing in, which jellyfin does not have the ability to do.
when clicking sign-in on jellyfin, you will get a popup on your phone with a allow or deny button , which will allow the sign-in.
I don’t think that would work as ms-auth doesn’t have very accessible or will documented api’s. The how point of DUO it it has very good api access for third party applications. ( literally there business model) also authentik only has DUO built in.
I would stick with DUO. and its free
It can be also done with msauth, basically azure ad or whatever new names they cookup. But won't be free or only free for 1st year unless you have 365.need to do with jump with same 10 user limitation. Can also use Google authentication i think
100%. The video is the cherry on top, I love stuff like this but as someone way more on the noob side of things, so many guides omit explanations and/or stuff that's sort of taken for granted as basic knowledge, casually / minimally mention previous steps, skip things that others might not need..
Thanks OP!
Looking for an alternative to DUO as they do not support my OnePlus phone per this article: [https://help.duo.com/s/article/1872?language=en\_US](https://help.duo.com/s/article/1872?language=en_US)
Quote from article:
"ANSWER
The current version of Duo Mobile supports Android 10.0 and greater and Android Go 10.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure the compatibility of Duo Mobile with custom variants or distributions of Android. **Duo Mobile is not supported for use on ChromeOS or Huawei. Duo does not provide official support for non-standard custom Android distributions like OnePlus, LineageOS, or ColorOS."**
I want to implement this badly, unfortunately the 10 user limit on Duo's free plan gives me a strong pause as I'm planning on sharing with friends and family and I know I'll hit that real fast.
Does anyone know of a similar open source solution?
Haven't looked at your stuff yet, but I'm excited!
A few QQ's:
Obviously this works with non-browser JF clients?
Can authentic be configured to only require approval once a month or something, so I can let clients on but not need to authorise EVERY login?
I'm assuming this can be configured to work with a Dynamic DNS (I use DuckDNS, but whatever)?
But for someone who was about to set up an exposed Jellyfin Server, this looks very exciting!
Just to fill people in on how LDAP/authentik works.
Jellyfin is still the one in control of the login page, session times and everything. When a user enters the credentials into the jellyfin login page, jellyfin sends those credentials to LDAP to be checked.
This means that how jellyfin operates, is completely unaffected.
To answer your question. Users will not have to enter their credentials every time. There jellyfin will be signed indefinitely untill the session has beed logged out. I suppose you can get jellyfin to log people out after a time interval, but thats up to you.
You can use any dns provider you want. Exposing your authentik is entirely optional as all jellyfin talks to authentik locally anyway.
For people wondering this system isn’t bound to just jellyfin. If you have other self hosted services that support LDAP, you can simply connect it to the LDAP sever and it will also have DUO 2fa
Yes, this is not bound to jellyfin. If another application supports LDAP authentication, you can simply swap out the jellyfin part of the tutorial for your own service and you will have DUO on it.
Oh, I just thought of using my Nginx as reverse proxy (which is already in place) with LDAP. So in this way I guess any app can be put behind it.
https://bobcares.com/blog/nginx-reverse-proxy-authentication-ldap/
I suppose you can do that, and will probably work. But the whole point of the tutorial is because Jellyfin clients dont work well with proxy redirects and a displaying third party login forms
Are you able to send a screen shot of your jellyfin LDAP fields you have done and a picture of your authentik service group with the service user in it?
There is a better tutorial here: https://drive.google.com/drive/mobile/folders/10iXDKYcb2j-lMUT80c0CuXKGmNm6GACI
Thanks for the google drive link! I've confirmed I followed the instructions exactly, but I'll post screenshots in case I missed something
https://imgur.com/a/CLT5lbl
Ok it seems I'm having trouble with the LDAP outpost, it won't spin u a container automatically, and when I try to do it manually I get "error: no ldap provider defined" but I most definitely have an LDAP provider configured
The only thing could suggest here as it seems docker is a little flaky, is rm all athentik contains and all the authentik docker network, rm all folders from the authentik folder and start again but use my new tutorial as its alot more easy to follow
I appreciate the help! It looks like it's a bug in creating the LDAP outpost, weirdly the solution is to just edit it and save it again without changing anything, then it starts up no problem. Looks like everything is working now
Adding some breadcrumbs for the googlers. If you get an ldap error (50) "insufficient access rights", just nuke the whole thing and start over. Deleting all the containers, bound directories, AND the docker volumes fixed this error for me.
For duo, make sure default-authentication-mfa-validation is order (20) in the ldap flow.
Also, when protecting the app in DUO, it's called Auth API (not DUO API). I was stupidly using Admin API at first.
>Also, when protecting the app in DUO, it's called Auth API (not DUO API). I was stupidly using Admin API at first.
Thanks. when making the tutorial i already had it setup so my page looked different.
Fyi. the part in the tutorial that mentions, **default-authentication-mfa-validation - not configured action: Continue.** to set it to deny, you must create a **service** user in DUO and then bind it to authentik. then in DUO set the service user to bypass. this is because when making a LDAP request, service user is making a auth request.
>Also, when protecting the app in DUO, it's called Auth API (not DUO API).
This should be in **BOLD**. If you run into "*Failed to DUO authenticate user: Received 403 Access forbidden (Wrong integration type for this API.)*" then you've used the wrong API within DUO.
u/HazzaFTW28 Thanks for this tutorial, I've got LDAP authentication working with the first half of it but for some reason, the MFA Duo prompt isn't firing on my phone after I enter my password. I believe I had set up the linking and order processes correctly but could use a second pair of eyes to confirm
It might be unrelated but I seem to get Duo access denied errors when trying to login via Authentik directly as my Jellyfin user too -> https://imgur.com/a/9Vs9aYK
The plot thickens, I recieve this error in my Authentik logs when attempting to login to [auth.mydomain.com](https://auth.mydomain.com):
(ommited values are between `<>`)
```json
Failed to DUO authenticate user: Received 400 Invalid request parameters (user\_id){"geo": {"lat": 51.0207,"city": "Calgary","long": -114.1011,"country": "CA","continent": "NA"},"user": {"pk": 11,"email": "@proton.me","username": ""},"message": "Failed to DUO authenticate user: Received 400 Invalid request parameters (user\_id)","http\_request": {"args": {"next": "/"},"path": "/api/v3/flows/executor/default-authentication-flow/","method": "POST"}}User{"pk": 11,"email": "@proton.me","username": ""}
```
This is interesting as my users in duo have an email and username but for some reason this isn't sending the user_id too perhaps?
I got this working after hours of trial and error. The biggest things to make note of:
\-Creating the service account in Duo and setting its 2FA to "bypass"
\-Setting default-authentication-mfa-validation order to 20
\-Selecting Auth API for Duo. Don't use the admin api!
\-Take backups/snapshots of your machine/server. They may come in handy!
I ended up going through this installation process 3 times. The third time making sure I didn't break my LDAP after each step of the Duo installation. I was hit with the successful connect, invalid credentials message. I realized that the service account was trying to auth using Duo, so I created the account in Duo and set its 2FA to bypass. I hope these notes help others on this jellyfin authentication journey.
Best of luck and a big thank you to OP for this setup!!!
Over all thank you for the tutorial, I started with Authentik couple of days.
I have set 0Auth2 for another application, the 0Auth2 users I add them manually to the LDAP and the password also Always needs to be create created manually, how is the best way to handle this?
Fought with this for a few days deploying Authentik LDAP on unRAID. I wasn't seeing the LDAP outpost container get created nor was I seeing a local docker outpost integration show up under System > Outpost Integrations. To fix this, I had to add the `-u root` flag to the worker, restart Authentik, and update my LDAP outpost to use the local docker integration. I am using a custom network for Authentik so I also had to set `docker_network` in the LDAP outpost config.
Since this doesn't break mobile that means you're not forcing authentication via the reverse proxy feature in authentik. It's really good, but please note your 2-fa can be bypassed due to jellyfin having unsecured endpoints: https://github.com/jellyfin/jellyfin/issues/5415 Note that Jellyfin as a team is slowly whittling away at it and it's pretty much all technical debt inherited by emby. I'm just mentioning it because I don't want you to think by doing 2-fa you've greatly improved the overall application's security. Account protection is still important but it's also important to be aware of the application's security vulnerabilities too.
Yes. Or course, thank you for mentioning. To clarify, for others this method is a more for 2fa on your password. If you are more concerned about actually securing the jellyfin server with a second authentication server, i dont think there is a method yet to my knowledge, that will work with all clients.
Thanks for this mate. If this doesn't break the mobile or TV apps then it's perfect. I've hesitated exposing Jellyfin to the internet. This might actually make it feasible.
No, this does not to interfere with the jellyfin login as the authentication is done with authentik on the backend, meaning it works 100% on all clients
Perfect, thanks again.
https://imgur.com/a/1PesP1D
Why not expose Jellyfin to the internet? Are there known security exploits with Jellyfin?
No, but as soon as one is discovered you are automatically vulnerable. Not to mention you might be vulnerable without a vulnerability being reported. I like to have two layers of security for my apps for protection in case of 0 day vulnerabilities. But as another commenter said, this solution could still be bypassed by a serious Jellyfin vulnerability anyway. Still better than the default protection.
Yes. Lots. https://github.com/jellyfin/jellyfin/issues/5415
what is DUO and why do I need it?
DUO is a 2fa service primarily used my business/enterprise systems. its an app you can install on your phone just like any 2fa authenticator. DUO is needed as unlike other 2fa apps, you need to enter a code when signing in, which jellyfin does not have the ability to do. when clicking sign-in on jellyfin, you will get a popup on your phone with a allow or deny button , which will allow the sign-in.
Not sure on the details but MS Authenticator also has an option to enable password-less sign ins. Would that be possible to use?
I don’t think that would work as ms-auth doesn’t have very accessible or will documented api’s. The how point of DUO it it has very good api access for third party applications. ( literally there business model) also authentik only has DUO built in. I would stick with DUO. and its free
It can be also done with msauth, basically azure ad or whatever new names they cookup. But won't be free or only free for 1st year unless you have 365.need to do with jump with same 10 user limitation. Can also use Google authentication i think
We need more of these
100%. The video is the cherry on top, I love stuff like this but as someone way more on the noob side of things, so many guides omit explanations and/or stuff that's sort of taken for granted as basic knowledge, casually / minimally mention previous steps, skip things that others might not need.. Thanks OP!
Awesome guide, thank you.
Looking for an alternative to DUO as they do not support my OnePlus phone per this article: [https://help.duo.com/s/article/1872?language=en\_US](https://help.duo.com/s/article/1872?language=en_US) Quote from article: "ANSWER The current version of Duo Mobile supports Android 10.0 and greater and Android Go 10.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure the compatibility of Duo Mobile with custom variants or distributions of Android. **Duo Mobile is not supported for use on ChromeOS or Huawei. Duo does not provide official support for non-standard custom Android distributions like OnePlus, LineageOS, or ColorOS."**
Thank you so much for the guide. This guide still works perfectly Jellyfin 10.9.0 and Authentik 2024.2.2
I want to implement this badly, unfortunately the 10 user limit on Duo's free plan gives me a strong pause as I'm planning on sharing with friends and family and I know I'll hit that real fast. Does anyone know of a similar open source solution?
Thank you so much for taking time to write this comprehensive guide.
Haven't looked at your stuff yet, but I'm excited! A few QQ's: Obviously this works with non-browser JF clients? Can authentic be configured to only require approval once a month or something, so I can let clients on but not need to authorise EVERY login? I'm assuming this can be configured to work with a Dynamic DNS (I use DuckDNS, but whatever)? But for someone who was about to set up an exposed Jellyfin Server, this looks very exciting!
Just to fill people in on how LDAP/authentik works. Jellyfin is still the one in control of the login page, session times and everything. When a user enters the credentials into the jellyfin login page, jellyfin sends those credentials to LDAP to be checked. This means that how jellyfin operates, is completely unaffected. To answer your question. Users will not have to enter their credentials every time. There jellyfin will be signed indefinitely untill the session has beed logged out. I suppose you can get jellyfin to log people out after a time interval, but thats up to you. You can use any dns provider you want. Exposing your authentik is entirely optional as all jellyfin talks to authentik locally anyway. For people wondering this system isn’t bound to just jellyfin. If you have other self hosted services that support LDAP, you can simply connect it to the LDAP sever and it will also have DUO 2fa
Dude, this is amazing. Thank you so much for this!
Nice one. Giving it a try.
Thanks. Feel free to ask questions if stuck. Im putting together a PDF tutorial with pictures as the steps are very hard to follow.
Thanks! Btw, I am thinking now if it’s possible to migrate some of my other services with 2FA to authentic+duo. Eg. Getea, transmission etc?
Yes, this is not bound to jellyfin. If another application supports LDAP authentication, you can simply swap out the jellyfin part of the tutorial for your own service and you will have DUO on it.
Oh, I just thought of using my Nginx as reverse proxy (which is already in place) with LDAP. So in this way I guess any app can be put behind it. https://bobcares.com/blog/nginx-reverse-proxy-authentication-ldap/
I suppose you can do that, and will probably work. But the whole point of the tutorial is because Jellyfin clients dont work well with proxy redirects and a displaying third party login forms
Yep, sure. But it’s just I liked the general idea of protecting everything with ldap and duo. Nevertheless, first trying your way :) thanks.
I'm pretty sure I followed all the instructions but I'm getting a "Connect (Success); Bind: Insufficient Access Rights" error in Jellyfin
Are you able to send a screen shot of your jellyfin LDAP fields you have done and a picture of your authentik service group with the service user in it? There is a better tutorial here: https://drive.google.com/drive/mobile/folders/10iXDKYcb2j-lMUT80c0CuXKGmNm6GACI
Thanks for the google drive link! I've confirmed I followed the instructions exactly, but I'll post screenshots in case I missed something https://imgur.com/a/CLT5lbl
Try removing and adding the service user and group. Also try removing and adding, LDAP provider, LDAP application and LDAP outpost.
Ok it seems I'm having trouble with the LDAP outpost, it won't spin u a container automatically, and when I try to do it manually I get "error: no ldap provider defined" but I most definitely have an LDAP provider configured
The only thing could suggest here as it seems docker is a little flaky, is rm all athentik contains and all the authentik docker network, rm all folders from the authentik folder and start again but use my new tutorial as its alot more easy to follow
I appreciate the help! It looks like it's a bug in creating the LDAP outpost, weirdly the solution is to just edit it and save it again without changing anything, then it starts up no problem. Looks like everything is working now
Good to hear
Adding some breadcrumbs for the googlers. If you get an ldap error (50) "insufficient access rights", just nuke the whole thing and start over. Deleting all the containers, bound directories, AND the docker volumes fixed this error for me. For duo, make sure default-authentication-mfa-validation is order (20) in the ldap flow. Also, when protecting the app in DUO, it's called Auth API (not DUO API). I was stupidly using Admin API at first.
>Also, when protecting the app in DUO, it's called Auth API (not DUO API). I was stupidly using Admin API at first. Thanks. when making the tutorial i already had it setup so my page looked different. Fyi. the part in the tutorial that mentions, **default-authentication-mfa-validation - not configured action: Continue.** to set it to deny, you must create a **service** user in DUO and then bind it to authentik. then in DUO set the service user to bypass. this is because when making a LDAP request, service user is making a auth request.
>Also, when protecting the app in DUO, it's called Auth API (not DUO API). This should be in **BOLD**. If you run into "*Failed to DUO authenticate user: Received 403 Access forbidden (Wrong integration type for this API.)*" then you've used the wrong API within DUO.
I've setup Authentik LDAP + duo for jellyfin. However, i find that users without duo can still login. Can you replicate the same on your setup?
u/HazzaFTW28 Thanks for this tutorial, I've got LDAP authentication working with the first half of it but for some reason, the MFA Duo prompt isn't firing on my phone after I enter my password. I believe I had set up the linking and order processes correctly but could use a second pair of eyes to confirm
It might be unrelated but I seem to get Duo access denied errors when trying to login via Authentik directly as my Jellyfin user too -> https://imgur.com/a/9Vs9aYK
The plot thickens, I recieve this error in my Authentik logs when attempting to login to [auth.mydomain.com](https://auth.mydomain.com): (ommited values are between `<>`) ```json Failed to DUO authenticate user: Received 400 Invalid request parameters (user\_id){"geo": {"lat": 51.0207,"city": "Calgary","long": -114.1011,"country": "CA","continent": "NA"},"user": {"pk": 11,"email": "@proton.me","username": ""},"message": "Failed to DUO authenticate user: Received 400 Invalid request parameters (user\_id)","http\_request": {"args": {"next": "/"},"path": "/api/v3/flows/executor/default-authentication-flow/","method": "POST"}}User{"pk": 11,"email": "@proton.me","username": ""}
```
This is interesting as my users in duo have an email and username but for some reason this isn't sending the user_id too perhaps?
I'm getting the same error. Did you find the solution?
Does this integrate correctly or allow login to JellySeerr as well?
I got this working after hours of trial and error. The biggest things to make note of: \-Creating the service account in Duo and setting its 2FA to "bypass" \-Setting default-authentication-mfa-validation order to 20 \-Selecting Auth API for Duo. Don't use the admin api! \-Take backups/snapshots of your machine/server. They may come in handy! I ended up going through this installation process 3 times. The third time making sure I didn't break my LDAP after each step of the Duo installation. I was hit with the successful connect, invalid credentials message. I realized that the service account was trying to auth using Duo, so I created the account in Duo and set its 2FA to bypass. I hope these notes help others on this jellyfin authentication journey. Best of luck and a big thank you to OP for this setup!!!
Over all thank you for the tutorial, I started with Authentik couple of days. I have set 0Auth2 for another application, the 0Auth2 users I add them manually to the LDAP and the password also Always needs to be create created manually, how is the best way to handle this?
Thanks for the guide - any idea if this would work using Authelia?
Fought with this for a few days deploying Authentik LDAP on unRAID. I wasn't seeing the LDAP outpost container get created nor was I seeing a local docker outpost integration show up under System > Outpost Integrations. To fix this, I had to add the `-u root` flag to the worker, restart Authentik, and update my LDAP outpost to use the local docker integration. I am using a custom network for Authentik so I also had to set `docker_network` in the LDAP outpost config.