Search the Community

Is there plans on the roadmap for OpenID. I have searched but not found any indication this is in development. With many admins taking up SSO through Authelia or Authentik to enhance security it would be great for Emby to support it. One of the easier open standards is OpenID which the aforementioned support. Users could continue to use LDAP if they wish while others can use the arguably better SSO experience.

CURRENT STATUS: SSO: Not yet planned LDAP: Development COMPLETED - BETA AVAILABLE >180 direct endorsements >30 MONTHS (>2.5 years) >12,000 views PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP This would greatly expand Emby's usage, and possibly more enterprise level adoption, user templating, user groups, SSO, etc. There are also users who have completely abandoned Emby and ended subscriptions due to the lack of this necessary basic functionality. Note: SAML2 is also part of this request. (header auth is also acceptable, at a minimum.) Context: I am trying to use something like openfire as a Instant Messaging solution which already supports LDAP and SAML2. So this would allow the current user of emby to seamlessly use web-based instant messenger with the same username and password as Emby without the need to enter them into a form. This would also allow universal login to be shared with my home PC's, Spiceworks, Ombii, Organizr, etc. The multitude of possible flexible functionality this could add is truly incredible. THIS NEEDS TO BE DONE, myself and others cannot manage a userbase with proprietary passwords for a single service (with no self-service password reset/recovery), when things that have only months of development implement it within days, easily. Status: LDAP - Development Completed - BETA AVAILABLE! Common LDAP solutions to test against:​Open LDAP​ (Open Source) [use this] ApacheDS OpenDJ 389 Directory Server Microsoft Active Directory SSL is NOT actually needed, but Emby team insisted on it anyways: Simply offering a toggle option for auth to send plaintext or encrypted passwords would work just fine. It is ironic to claim the need to be overly security conscious of user passwords, while lagging behind on basic SSL. If SAML is implemented, a SAML request/response can just be signed by an x509 and it is just as secure as TLS using SSL. SSL does not need to be natively supported, as it is perfectly possible to run it through an SSL reverse proxy tunnel and have the same effect. SSL Feature Request: https://emby.media/community/index.php?/topic/33983-ssl-integrationsupport/&do=findComment&comment=322526As of now username and password is encrypted client-side as security as SSL is not natively implemented. Emby team has said this impedes the adoption of both SSO and LDAP. Please see our SSL request topic; like, comment, and endorse it to show how many people would enjoy/gain from this basic security. Ways to satisfy this FR: Direct LDAP connector SAML2 connector General SSO functionality (SSO Header, etc) Allowing user header auth NGINX auth support RADIUS Authentication Other features that are inherently possible if this is implemented: Self service passwords Ability for users to invite users/guests Expiring Accounts (after duration/trigger) Unified credentials for many services Corporate level authentication security User groups Mass User management Update 1: I encourage others to work on this but I am currently seeing what I can do to develop a solution to this myself. If you have experience in this LDAP/SSO/SAML2/SSL/.NET contact myself, @@Luke, @@ebr or the Emby team to let them know, any help is greatly appreciated! By everyone! Update 2: I know there is always the question of "well how many users actually want/will use this", so I compiled a list of some of the other threads/sites where people request this (to apparently no effectiveness in motivating the team). Update 3 (18 MONTH UPDATE): This request has now hit 18 months in age, NO progress made thus far whatsoever. ( ) Update 4: This FR is now the 4th most liked post ON THE ENTIRE FORUM and the 3rd most liked FR ON THE ENTIRE FORUM (ever), the 1st most liked active FR ON THE ENTIRE FORUM and over 4000 views. Counting endorsements besides those on this thread show over 115 direct requests/endorsements for this basic functionality. Lets get this moving guys, this is getting to be a bit much. Almost 2 years waiting on this now. Source Update 5 (9/20/2017): This feature request is now the MOST DESIRED REQUEST EVER MADE TO EMBY, sadly, that has not merited any progress at all. The staff has been working on things they believe Emby users want or may want, but it is clear what people want. We can only hope now our wishes are respected instead of being told what we want and having our requests dismissed. Source Update 6 [2 year update] (10/17/2017): Two years and not a single bit of progress has been made. TWO YEARS!!! To say this is disappointing is an understatement. The entire reason I went from Plex to Emby was because of local user management. THIS IS THE ONLY REASON, so naturally I wanted to have complete control over my users, but after TWO YEARS, still nothing. Update 7 (3/6/2018): DEVELOPMENT HAS STARTED!!! Check Luke's recent comments, if you want to test it out, download the latest beta and install/configure the LDAP plugin to test and give feedback!!! Update 8 (4/6/2018): Development on the LDAP connector has completed from what I gather, not sure if this is only a beta or a primary release; SSO is still a plan for the future but has not been touched. Progress made by other users (looks to be nearly, if not fully complete): https://github.com/MediaBrowser/Emby/pull/1885 https://github.com/MediaBrowser/Emby/pull/2139 Exploits shown by other users against Emby (emphasizing the need for a centralized authentication solution): https://emby.media/community/index.php?/topic/12335-unauthenticated-access-over-the-internet-to-logs-folder/ https://emby.media/community/index.php?/topic/20376-all-folders-visible-to-all-users-after-upgrade/ Related FR that could be helpful: https://emby.media/community/index.php?/topic/46635-support-for-logging-users-in-though-url-scheme/?hl=user Any of these could be interesting to have compatibility with: http://lemonldap-ng.org/welcome/ https://github.com/Jasig/cas http://passportjs.org/ https://www.nginx.com/resources/admin-guide/restricting-access-auth-request/ LDAP/SSO/SAML Requests (~180 endorsements) [>12,000 views] > 95 endorsements on this post ~ 30 endorsementshttps://github.com/MediaBrowser/Emby/issues/1146 > 35 endorsementshttps://www.bountysource.com/issues/24943821-authenticate-users-using-ldap > 14 endorsements​https://feathub.com/tidusjar/Ombi/+122 > 4 endorsementshttps://www.reddit.com/r/emby/comments/5o44wd/creating_deleting_updating_users_with_the_api/ Interview, in article comments user said lack of LDAP STOPPED him from using Emby (Emby is actually losing customers due to the lack of this NECESSARY basic functionality):https://www.linux.com/news/software/multimedia/856128-exclusive-interview-emby-founder-luke-pulverenti Duplicate, user had no progress on first 2 posts (no one from Emby actually tracked this or even replied to him):http://emby.media/community/index.php?/topic/861-mb3-and-active-directory/ http://emby.media/community/index.php?/topic/867-mb3-and-active-directory/ Auth announcement, user 'Drashna' in comments requested LDAP/ADhttp://emby.media/community/index.php?/blog/1/entry-177-manage-your-home-with-emby-users/ Various similar requestshttps://github.com/MediaBrowser/Emby/issues/2494 https://github.com/MediaBrowser/Emby/issues/2493 https://forum.yunohost.org/t/integration-emby/912 http://emby.media/community/index.php?/topic/13081-active-directory-integration/ http://emby.media/community/index.php?/topic/11200-media-browser-3-server-ldap-active-directory/ External SQL auth request:http://emby.media/community/index.php?/topic/27986-emby-and-shared-mysql-database/ http://emby.media/community/index.php?/topic/23509-authenticate-users-via-external-mysql-database/ http://emby.media/community/index.php?/topic/12001-external-login-to-mysql/ #ADFS #SSO #LDAP #ActiveDirectory #MSAD #SAML #SAML2.0 #SAML1.1 #PingFederate #OKTA #LemonLDAP #JASIG #authentication #auth #TLS #SSL #Usergroup #usertemplate #header #authheader #headerauth #security #hardening #authhardening #authenticationheader #externalauth #centralauth #centralizedauth #centralizeddb #exploit #authexploit #security #loginhardening #authenticationhardening #accesscontrol #.NET #SelfService #RADIUS

Hello, everybody, i have a password protected wordpress based website. There i call emby as an external application. Currently I have to authorize for Wordpress as well as Emby. I would like a single sign on (SSO) solution. However, this is completely new territory for me. Is something like this possible with emby, if so how? Regards

Status: Initiated Blueprint Luke has investigated this, unclear the progress on universal development. App devs have not begun dev for this. Once Luke builds core compatibility it may be 3+ months before app/client SSL adoption. Spread the word! Let's make it known how many Emby users would love to see this feature! I have seen scattered, unorganized requests for this that seemed to die, so this will serve to centralize all support for SSL and to track responses/feedback. This is to request Emby support SSL, both app and web client to server. This would be for Emby Connect setups as well as local user setup. Current Plan: Utilize Lets Encrypt (https://letsencrypt.org/) to allow automated endoint encryption. Luke is currently looking for members that may be able to help automate this at server endpoints. Possible Solutions include subdomains for each client (ex. customer.emby.media) or custom domains for each customer such as DyDNS. Reasons for this: Secure activity/traffic between client and server Allows passwords to be passed plain text from client to server. Would allow development of SSO/LDAP authentication solutions. Please see and support our topic linked below:https://emby.media/community/index.php?/topic/26495-ldap-support/ What is done: Enhanced SSL support on mobile application What is needed: Core universal SSL support App supported SSL Web-app supported SSL Authentication passed over SSL to allow plaintext passwords