Popular Post Untoten 303 Posted October 18, 2015 Popular Post Posted October 18, 2015 (edited) CURRENT STATUS: SSO: Not yet planned LDAP: Development COMPLETED - BETA AVAILABLE >180 direct endorsements >30 MONTHS (>2.5 years) >12,000 views PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP This would greatly expand Emby's usage, and possibly more enterprise level adoption, user templating, user groups, SSO, etc. There are also users who have completely abandoned Emby and ended subscriptions due to the lack of this necessary basic functionality. Note: SAML2 is also part of this request. (header auth is also acceptable, at a minimum.) Context: I am trying to use something like openfire as a Instant Messaging solution which already supports LDAP and SAML2. So this would allow the current user of emby to seamlessly use web-based instant messenger with the same username and password as Emby without the need to enter them into a form. This would also allow universal login to be shared with my home PC's, Spiceworks, Ombii, Organizr, etc. The multitude of possible flexible functionality this could add is truly incredible. THIS NEEDS TO BE DONE, myself and others cannot manage a userbase with proprietary passwords for a single service (with no self-service password reset/recovery), when things that have only months of development implement it within days, easily. Status: LDAP - Development Completed - BETA AVAILABLE! Common LDAP solutions to test against:Open LDAP (Open Source) [use this] ApacheDS OpenDJ 389 Directory Server Microsoft Active Directory SSL is NOT actually needed, but Emby team insisted on it anyways: Simply offering a toggle option for auth to send plaintext or encrypted passwords would work just fine. It is ironic to claim the need to be overly security conscious of user passwords, while lagging behind on basic SSL. If SAML is implemented, a SAML request/response can just be signed by an x509 and it is just as secure as TLS using SSL. SSL does not need to be natively supported, as it is perfectly possible to run it through an SSL reverse proxy tunnel and have the same effect. SSL Feature Request: https://emby.media/community/index.php?/topic/33983-ssl-integrationsupport/&do=findComment&comment=322526As of now username and password is encrypted client-side as security as SSL is not natively implemented. Emby team has said this impedes the adoption of both SSO and LDAP. Please see our SSL request topic; like, comment, and endorse it to show how many people would enjoy/gain from this basic security. Ways to satisfy this FR: Direct LDAP connector SAML2 connector General SSO functionality (SSO Header, etc) Allowing user header auth NGINX auth support RADIUS Authentication Other features that are inherently possible if this is implemented: Self service passwords Ability for users to invite users/guests Expiring Accounts (after duration/trigger) Unified credentials for many services Corporate level authentication security User groups Mass User management Update 1: I encourage others to work on this but I am currently seeing what I can do to develop a solution to this myself. If you have experience in this LDAP/SSO/SAML2/SSL/.NET contact myself, @@Luke, @@ebr or the Emby team to let them know, any help is greatly appreciated! By everyone! Update 2: I know there is always the question of "well how many users actually want/will use this", so I compiled a list of some of the other threads/sites where people request this (to apparently no effectiveness in motivating the team). Update 3 (18 MONTH UPDATE): This request has now hit 18 months in age, NO progress made thus far whatsoever. ( ) Update 4: This FR is now the 4th most liked post ON THE ENTIRE FORUM and the 3rd most liked FR ON THE ENTIRE FORUM (ever), the 1st most liked active FR ON THE ENTIRE FORUM and over 4000 views. Counting endorsements besides those on this thread show over 115 direct requests/endorsements for this basic functionality. Lets get this moving guys, this is getting to be a bit much. Almost 2 years waiting on this now. Source Update 5 (9/20/2017): This feature request is now the MOST DESIRED REQUEST EVER MADE TO EMBY, sadly, that has not merited any progress at all. The staff has been working on things they believe Emby users want or may want, but it is clear what people want. We can only hope now our wishes are respected instead of being told what we want and having our requests dismissed.SourceUpdate 6 [2 year update] (10/17/2017): Two years and not a single bit of progress has been made. TWO YEARS!!! To say this is disappointing is an understatement. The entire reason I went from Plex to Emby was because of local user management. THIS IS THE ONLY REASON, so naturally I wanted to have complete control over my users, but after TWO YEARS, still nothing. Update 7 (3/6/2018): DEVELOPMENT HAS STARTED!!! Check Luke's recent comments, if you want to test it out, download the latest beta and install/configure the LDAP plugin to test and give feedback!!! Update 8 (4/6/2018): Development on the LDAP connector has completed from what I gather, not sure if this is only a beta or a primary release; SSO is still a plan for the future but has not been touched. Progress made by other users (looks to be nearly, if not fully complete): https://github.com/MediaBrowser/Emby/pull/1885https://github.com/MediaBrowser/Emby/pull/2139 Exploits shown by other users against Emby (emphasizing the need for a centralized authentication solution):https://emby.media/community/index.php?/topic/12335-unauthenticated-access-over-the-internet-to-logs-folder/ https://emby.media/community/index.php?/topic/20376-all-folders-visible-to-all-users-after-upgrade/ Related FR that could be helpful:https://emby.media/community/index.php?/topic/46635-support-for-logging-users-in-though-url-scheme/?hl=user Any of these could be interesting to have compatibility with: http://lemonldap-ng.org/welcome/ https://github.com/Jasig/cas http://passportjs.org/ https://www.nginx.com/resources/admin-guide/restricting-access-auth-request/ LDAP/SSO/SAML Requests (~180 endorsements) [>12,000 views] > 95 endorsements on this post ~ 30 endorsementshttps://github.com/MediaBrowser/Emby/issues/1146 > 35 endorsementshttps://www.bountysource.com/issues/24943821-authenticate-users-using-ldap > 14 endorsementshttps://feathub.com/tidusjar/Ombi/+122 > 4 endorsementshttps://www.reddit.com/r/emby/comments/5o44wd/creating_deleting_updating_users_with_the_api/ Interview, in article comments user said lack of LDAP STOPPED him from using Emby (Emby is actually losing customers due to the lack of this NECESSARY basic functionality):https://www.linux.com/news/software/multimedia/856128-exclusive-interview-emby-founder-luke-pulverenti Duplicate, user had no progress on first 2 posts (no one from Emby actually tracked this or even replied to him):http://emby.media/community/index.php?/topic/861-mb3-and-active-directory/ http://emby.media/community/index.php?/topic/867-mb3-and-active-directory/ Auth announcement, user 'Drashna' in comments requested LDAP/ADhttp://emby.media/community/index.php?/blog/1/entry-177-manage-your-home-with-emby-users/ Various similar requestshttps://github.com/MediaBrowser/Emby/issues/2494 https://github.com/MediaBrowser/Emby/issues/2493 https://forum.yunohost.org/t/integration-emby/912 http://emby.media/community/index.php?/topic/13081-active-directory-integration/ http://emby.media/community/index.php?/topic/11200-media-browser-3-server-ldap-active-directory/ External SQL auth request:http://emby.media/community/index.php?/topic/27986-emby-and-shared-mysql-database/ http://emby.media/community/index.php?/topic/23509-authenticate-users-via-external-mysql-database/ http://emby.media/community/index.php?/topic/12001-external-login-to-mysql/ #ADFS #SSO #LDAP #ActiveDirectory #MSAD #SAML #SAML2.0 #SAML1.1 #PingFederate #OKTA #LemonLDAP #JASIG #authentication #auth #TLS #SSL #Usergroup #usertemplate #header #authheader #headerauth #security #hardening #authhardening #authenticationheader #externalauth #centralauth #centralizedauth #centralizeddb #exploit #authexploit #security #loginhardening #authenticationhardening #accesscontrol #.NET #SelfService #RADIUS Edited April 7, 2018 by Untoten 114
Fratopolis 62 Posted January 24, 2016 Posted January 24, 2016 Untoten? Why did you say done? I would love to have AD group integration. I am a Systems Admin at a school district and this product would rock their world. Teachers and students could really utilize this. I am a Lifetime subscriber for home use but in the district manually creating users would be a full time job. 1
Luke 39386 Posted January 24, 2016 Posted January 24, 2016 It's not done. It's been requested by others before so we're just monitoring demand for it. 1
ebr 15550 Posted January 24, 2016 Posted January 24, 2016 If you want to express your desire - "Like" the first post in here. 1
jose 73 Posted February 11, 2016 Posted February 11, 2016 Support ldap groups to, and be able to set settings for a group instead of per user. 1
Untoten 303 Posted February 12, 2016 Author Posted February 12, 2016 I am working on this currently with hopeful SAML support, please contact me if you have any related experience and a little time.
Luke 39386 Posted March 6, 2016 Posted March 6, 2016 didn't i already PM you with some things we need to get done first before this can be looked at? it has some pre-requisites we need to do first.
Untoten 303 Posted March 6, 2016 Author Posted March 6, 2016 You bet, but the more exposure the more possible people to assist in building and the more people will show their support/make a use case.Perhaps we can include a list of prereqs too to give users more transparency so they know what is needed/why it's not done yet.
Cerothen 95 Posted March 6, 2016 Posted March 6, 2016 Is it possible currently or is it something that could be made possible to allow people to write plugins for Emby to enable alternate authentication? Then people could write plugins that would authenticate against whatever they wanted, Active Directory, MySQL, FTP, a text file they keep on the computer because they are misguided etc. 1
Untoten 303 Posted March 12, 2016 Author Posted March 12, 2016 Sadly, it is not currently possible. They still need SSL working, if you want to help in that. Also, if you know programming check out the SAML 2 C# spec, they/I could use help with that as well.
AxeMan 24 Posted March 28, 2016 Posted March 28, 2016 Count me as interested. Replying to track progress 1
neo_hijacker 2 Posted March 29, 2016 Posted March 29, 2016 Hi, Interested too by any external DB authentication mechanism. LDAP and SAML are best choice. Rgds, 2
Untoten 303 Posted April 11, 2016 Author Posted April 11, 2016 Still waiting for the Emby team to complete SSL support, until they complete this we cannot move forward with any SSO.
AndreasL 2 Posted June 15, 2016 Posted June 15, 2016 Thumbs up for LDAP. Would love to see integration for external user management. 1
Theodore 136 Posted September 19, 2016 Posted September 19, 2016 I actually really like this idea too. AD integration for group permissions via an LDAP lookup would be awesome! 1
Untoten 303 Posted September 20, 2016 Author Posted September 20, 2016 I actually really like this idea too. AD integration for group permissions via an LDAP lookup would be awesome! Thanks for the support! Make sure to like the top post so they see your endorsement!
cervy1536 1 Posted October 9, 2016 Posted October 9, 2016 The possiblility of LDAP support is the reason why I would consider this over PLEX 1
fernsm 2 Posted November 15, 2016 Posted November 15, 2016 (edited) Just implementing Emby for my school (lifetime subscriber at home), it's replacing a Windows Media Services (Windows 2008R2) server which has come to the end of it's useful life. Equivalent media server solutions for education can cost several thousand pounds to buy and implement so Emby is perfect for education, especially as it's web based. Most schools and universities run Windows Active Directory so AD authentication would be really appreciated, especially if you can assign permissions through groups e.g. teachers would have different permissions to students. For example teachers could record* Freeview (UK) TV programs using the HDHomeRun whilst students could not. As the Emby server is free and the lifetime subscription so cheap and AD authentication is really for commercial use rather than home I would be happy if this was a paid for commercial add-on with an educational discount :-) . Out of interest our Emby Server spec: HP Proliant DL380 G6 Storage Server 2x SIX CORE X5660 Xeon CPUs, 12TB SATA RAID 5, 32GB RAM, 4x 1Gb NICs. We think wit would have no problem streaming simultaneously to 70+ PCs. *I'm assuming this is possible? Edited November 15, 2016 by fernsm 2
Luke 39386 Posted November 15, 2016 Posted November 15, 2016 It is something we've discussed as a possibility, yes.
Untoten 303 Posted December 1, 2016 Author Posted December 1, 2016 @@Luke @@ebr Can we please get the ball rolling on this? I requested this far over a year ago, it has some very real uses and it is clearly not a rare request. I see much potential for many things with Emby but this is a gigantic hinderance. I have told Luke before I would donate $500-$1000 just to get this working.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now