Jump to content


Photo
Completed

Centralized Authentication Functionality (LDAP/SSO/HTML Header/RADIUS) [DEVELOPMENT STARTED]

LDAP SSO SAML SAML2 Authentication security radius

  • Please log in to reply
211 replies to this topic

#1 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 01:07 PM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 17 October 2015 - 10:35 PM

*
POPULAR

             CURRENT STATUS:

             SSO: Not yet planned

             LDAP: Development COMPLETED - BETA AVAILABLE

 

 

>180 direct endorsements

>30 MONTHS (>2.5 years)

>12,000 views

 

 

PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP

 

 

This would greatly expand Emby's usage, and possibly more enterprise level adoption, user templating, user groups, SSO, etc.  There are also users who have completely abandoned Emby and ended subscriptions due to the lack of this necessary basic functionality.
 

Note: SAML2 is also part of this request. (header auth is also acceptable, at a minimum.)

 

Context: I am trying to use something like openfire as a Instant Messaging solution which already supports LDAP and SAML2.  So this would allow the current user of emby to seamlessly use web-based instant messenger with the same username and password as Emby without the need to enter them into a form.  This would also allow universal login to be shared with my home PC's, Spiceworks, Ombii, Organizr, etc.  The multitude of possible flexible functionality this could add is truly incredible. THIS NEEDS TO BE DONE, myself and others cannot manage a userbase with proprietary passwords for a single service (with no self-service password reset/recovery), when things that have only months of development implement it within days, easily.
 

Status

  • LDAP - Development Completed - BETA AVAILABLE!
  • SSL is NOT actually needed, but Emby team insisted on it anyways: 
    • Simply offering a toggle option for auth to send plaintext or encrypted passwords would work just fine.
    • It is ironic to claim the need to be overly security conscious of user passwords, while lagging behind on basic SSL.  
    • If SAML is implemented, a SAML request/response can just be signed by an x509 and it is just as secure as TLS using SSL.  
    • SSL does not need to be natively supported, as it is perfectly possible to run it through an SSL reverse proxy tunnel and have the same effect.
  • SSL Feature Request: https://emby.media/c...rt/#entry322526
    • As of now username and password is encrypted client-side as security as SSL is not natively implemented.  
    • Emby team has said this impedes the adoption of both SSO and LDAP.  
    • Please see our SSL request topic; like, comment, and endorse it to show how many people would enjoy/gain from this basic security.

 

Ways to satisfy this FR:

  • Direct LDAP connector
  • SAML2 connector
  • General SSO functionality (SSO Header, etc)
  • Allowing user header auth
  • NGINX auth support
  • RADIUS Authentication

Other features that are inherently possible if this is implemented:

  • Self service passwords
  • Ability for users to invite users/guests
  • Expiring Accounts (after  duration/trigger)
  • Unified credentials for many services
  • Corporate level authentication security
  • User groups
  • Mass User management

 

Update 1: I encourage others to work on this but I am currently seeing what I can do to develop a solution to this myself.  If you have experience in this LDAP/SSO/SAML2/SSL/.NET contact myself, @Luke, @ebr or the Emby team to let them know, any help is greatly appreciated!  By everyone!

 

Update 2: I know there is always the question of "well how many users actually want/will use this", so I compiled a list of some of the other threads/sites where people request this (to apparently no effectiveness in motivating the team).

 

Update 3 (18 MONTH UPDATE): This request has now hit 18 months in age, NO progress made thus far whatsoever. ( :( )

 

Update 4: This FR is now the 4th most liked post ON THE ENTIRE FORUM and the 3rd most liked FR ON THE ENTIRE FORUM (ever), the 1st most liked active FR ON THE ENTIRE FORUM and over 4000 views. Counting endorsements besides those on this thread show over 115 direct requests/endorsements for this basic functionality.  Lets get this moving guys, this is getting to be a bit much.  Almost 2 years waiting on this now.  

Source

 

Update 5 (9/20/2017): This feature request is now the MOST DESIRED REQUEST EVER MADE TO EMBY, sadly, that has not merited any progress at all.  The staff has been working on things they believe Emby users want or may want, but it is clear what people want.  We can only hope now our wishes are respected instead of being told what we want and having our requests dismissed.
Source

Update 6 [2 year update] (10/17/2017): Two years and not a single bit of progress has been made.  TWO YEARS!!!  To say this is disappointing is an understatement.  The entire reason I went from Plex to Emby was because of local user management.  THIS IS THE ONLY REASON, so naturally I wanted to have complete control over my users, but after TWO YEARS, still nothing.
 

Update 7 (3/6/2018): DEVELOPMENT HAS STARTED!!! Check Luke's recent comments, if you want to test it out, download the latest beta and install/configure the LDAP plugin to test and give feedback!!! 

 

Update 8 (4/6/2018): Development on the LDAP connector has completed from what I gather, not sure if this is only a beta or a primary release; SSO is still a plan for the future but has not been touched.

 

Progress made by other users (looks to be nearly, if not fully complete):

https://github.com/M.../Emby/pull/1885
https://github.com/M.../Emby/pull/2139

 

Exploits shown by other users against Emby (emphasizing the need for a centralized authentication solution):
https://emby.media/c...to-logs-folder/

https://emby.media/c...-after-upgrade/

 

Related FR that could be helpful:
https://emby.media/c...scheme/?hl=user

 

 

Any of these could be interesting to have compatibility with:

 

LDAP/SSO/SAML Requests (~180 endorsements) [>12,000 views]

 

 

#ADFS #SSO #LDAP #ActiveDirectory #MSAD #SAML #SAML2.0 #SAML1.1 #PingFederate #OKTA #LemonLDAP #JASIG #authentication #auth  #TLS #SSL #Usergroup #usertemplate #header #authheader #headerauth #security #hardening #authhardening #authenticationheader #externalauth #centralauth #centralizedauth #centralizeddb #exploit #authexploit #security #loginhardening #authenticationhardening #accesscontrol #.NET #SelfService #RADIUS


Edited by Untoten, 06 April 2018 - 09:20 PM.

  • crashkelly, Erik, sydlexius and 95 others like this

#2 Fratopolis OFFLINE  

Fratopolis

    Advanced Member

  • Members
  • 250 posts
  • Local time: 01:07 PM

Posted 23 January 2016 - 10:40 PM

Untoten? Why did you say done? I would love to have AD group integration. I am a Systems Admin at a school district and this product would rock their world. Teachers and students could really utilize this.

 

I am a Lifetime subscriber for home use but in the district manually creating users would be a full time job.


  • mtait4893 likes this

#3 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 153455 posts
  • Local time: 03:07 PM

Posted 23 January 2016 - 10:42 PM

It's not done. It's been requested by others before so we're just monitoring demand for it.


  • Untoten likes this

#4 ebr ONLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 50917 posts
  • Local time: 03:07 PM

Posted 24 January 2016 - 09:36 AM

If you want to express your desire - "Like" the first post in here.


  • Untoten likes this

#5 jose OFFLINE  

jose

    Advanced Member

  • Developers
  • 323 posts
  • Local time: 02:07 PM

Posted 11 February 2016 - 03:12 PM

Support ldap groups to, and be able to set settings for a group instead of per user.


  • Untoten likes this

#6 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 01:07 PM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 12 February 2016 - 05:46 AM

I am working on this currently with hopeful SAML support, please contact me if you have any related experience and a little time.



#7 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 01:07 PM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 18 February 2016 - 09:25 PM

Bump

#8 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 01:07 PM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 06 March 2016 - 12:09 AM

Bump



#9 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 153455 posts
  • Local time: 03:07 PM

Posted 06 March 2016 - 12:29 AM

didn't i already PM you with some things we need to get done first before this can be looked at? it has some pre-requisites we need to do first.



#10 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 01:07 PM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 06 March 2016 - 12:34 AM

You bet, but the more exposure the more possible people to assist in building and the more people will show their support/make a use case.

Perhaps we can include a list of prereqs too to give users more transparency so they know what is needed/why it's not done yet.



#11 Cerothen OFFLINE  

Cerothen

    Advanced Member

  • Members
  • 213 posts
  • Local time: 03:07 PM

Posted 06 March 2016 - 11:30 AM

Is it possible currently or is it something that could be made possible to allow people to write plugins for Emby to enable alternate authentication? Then people could write plugins that would authenticate against whatever they wanted, Active Directory, MySQL, FTP, a text file they keep on the computer because they are misguided etc.


  • Untoten likes this

#12 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 01:07 PM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 12 March 2016 - 08:04 AM

Sadly, it is not currently possible.  They still need SSL working, if you want to help in that.  Also, if you know programming check out the SAML 2 C# spec, they/I could use help with that as well.



#13 AxeMan OFFLINE  

AxeMan

    Advanced Member

  • Members
  • 95 posts
  • Local time: 08:07 PM

Posted 28 March 2016 - 02:36 AM

Count me as interested. Replying to track progress
  • Untoten likes this

#14 neo_hijacker OFFLINE  

neo_hijacker

    Newbie

  • Members
  • 9 posts
  • Local time: 09:07 PM

Posted 29 March 2016 - 06:28 PM

Hi,

 

Interested too by any external DB authentication mechanism. LDAP and SAML are best choice.

 

Rgds,


  • drashna and Untoten like this

#15 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 01:07 PM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 11 April 2016 - 11:31 AM

Still waiting for the Emby team to complete SSL support, until they complete this we cannot move forward with any SSO.



#16 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 01:07 PM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 02 June 2016 - 08:58 PM

Bump.



#17 AndreasL OFFLINE  

AndreasL

    Newbie

  • Members
  • 7 posts
  • Local time: 09:07 PM
  • LocationGermany

Posted 15 June 2016 - 10:40 AM

Thumbs up for LDAP.

Would love to see integration for external user management.


  • Untoten likes this

#18 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 01:07 PM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 29 August 2016 - 05:03 PM

Bump.



#19 Theodore OFFLINE  

Theodore

    Advanced Member

  • Members
  • 169 posts
  • Local time: 12:07 PM

Posted 19 September 2016 - 12:20 AM

I actually really like this idea too. AD integration for group permissions via an LDAP lookup would be awesome!


  • Untoten likes this

#20 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 01:07 PM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 20 September 2016 - 09:52 AM

I actually really like this idea too. AD integration for group permissions via an LDAP lookup would be awesome!

  Thanks for the support!  Make sure to like the top post so they see your endorsement!







Also tagged with one or more of these keywords: Completed, LDAP, SSO, SAML, SAML2, Authentication, security, radius

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users