Configuring SSO for Immich with Authelia OIDC
In this blog post we will configure Authelia as OIDC provider and use it to enable Single Sign On (SSO) via OIDC/OAuth in Immich.
Configuring Authelia
Authelia's configuration is defined in a configuration.yaml
file. Within this file, we can define the necessary OIDC configuration settings such as defining a provider and a client.
Creating an OIDC Provider and Client
Visiting Authelia's public OIDC documentation, we can obtain an example configuration. Within this example configuration, there are multiple parameters that either require a secret value or a certificate.
The secret values and certificates can be securely generated using the Authelia Docker image as follows (see here):
# creating secure secret values
docker run authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric
# creating self-signed certificates and displaying the cert information
# please adjust `authelia.example.com` to your domain
docker run --rm authelia/authelia sh -c "authelia crypto certificate rsa generate --common-name authelia.example.com && cat public.crt && cat private.pem"
Upon creating those secret values and certificate information, we can adjust the provided OIDC example configuration by Authelia. We will insert our self-generated secrets and certificate information and adjust the configuration slightly to be properly alligned for Immich.
Replace all entries with example.com to your domains.
Ensure to properly adjust the following key parameters:
- hmac_secret
- issuer_certificate_chain
- issuer_private_key
- allowed_origins
- secret
- redirect_uris
Configuring Immich
The configuration of Immich can be adjusted by logging into the web application as admin. Then browse the administration and settings area.
Setting up OAuth
Visit your Immich web instance and login as admin. Then browse the URL /admin/system-settings
. You'll find a setting named OAuth Authentication
.
Adjust the key parameters as follows:
Here, a short explanation of the key settings:
- ISSUER URL: This is the FQDN of your Authelia instance
- CLIENT ID: This is the client name defined in Authelia's configuration.yml
- CLIENT SECRET: This is the client secret defined in Authelia's configuration.yml
- SCOPE: Can be left unchanged
- STORAGE LABEL CLAIN: Can be left unchanged
- BUTTON TEXT: Your prefered button text shown at the login page
- AUTO REGISTER: Your prefered choice, whether Authelia users are automatically registered/created within Immich if not yet existing. I recommend setting this to false. Create the users manually!
- AUTO LAUNCH: Whether the OAuth/OIDC authentication flow should be started automatically. If enabled, there won't be an option to use the local authentication flow with username and password anymore.
- MOBILE REDIRECT URI OVERRIDE: Must be enabled to support proper redirections from Authelia browser login back to the Immich mobile app.
- MOBILE REDIRECT URI: This is a specific URL provided by Immich, which will open the Immich mobile app if opened. Basically a custom scheme or deep link; see here. It consists of your Immich FQDN and the path
/api/oauth/mobile-redirect
.
Afterwards, you can hit the save button and test the newly configured OIDC SSO.
Both the web application as well as mobile application of Immich will show a new button to login via OAuth/OIDC. Just hit the button, authenticate against Authelia and you will be redirected to Immich as authenticated user.
Enjoy!
Member discussion