Jump to content

Centralized Authentication Functionality (LDAP/SSO/HTML Header/RADIUS) [DEVELOPMENT STARTED]


Untoten

Recommended Posts

Untoten

Just want to Push this FR and want to add Radius Support!

I will add it to the original request post my friend!  Make sure to like the first post, so it's all organized likes in one place @@1ch_h4lt

Edited by Untoten
  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • 2 weeks later...
schmitty

I would like to see SSO, as a minimum implemented... as I use Organizr, which pulls user accounts from Emby to login with Emby credentials. Having SSO would enable people to sign into Organizr, then automatically login to Emby.

  • Like 2
Link to comment
Share on other sites

Untoten

I would like to see SSO, as a minimum implemented... as I use Organizr, which pulls user accounts from Emby to login with Emby credentials. Having SSO would enable people to sign into Organizr, then automatically login to Emby.

Make sure to like the first post for ease of tracking :) Ty for the support.

Link to comment
Share on other sites

  • 2 weeks later...

It'd be great to know if it's still on the radar of the main devs. I reiterate my promise to purchase a lifetime membership if this is implemented :)

  • Like 1
Link to comment
Share on other sites

Untoten

I would be neat to see the posters IP addresses, I bet a few of them have the same address.......    ;)

Posters?  I am not endorsing my own post if that is what you are alluding to, and Luke/EBR know that, I have kept regular contact with them.  This is purely organic, but thank you for your concern.

 

What I do find interesting though, is that you have made a total of 3 posts, all 3 of which are calling me into question for various reasons, weird.  @@ebr @@Luke, anything strange going on there?

 

On another note, let's keep this thread on topic.  If you wish to add to the thought of this feature or endorse it, you are more than welcome :)

Edited by Untoten
Link to comment
Share on other sites

Magic815

I am also not Untoten.

 

I am just a user who wants to be able to incorporate Emby into a remotely accessible website, and have SSO work so that login credentials can be passed from the main website to Emby.

 

@@Luke and @@ebr - You've stated you are interested in community feedback. Here is mine:

 

If I hadn't already paid for Emby Lifetime Premiere, I would be switching to Plex solely for the lack of SSO in Emby. I made the tough decision to give the "little guy" a chance a little over a year ago, instead of just going with Plex. Unanswered requests like this make me regret my decision. You can wave your hands and call me a "power user," but the fact remains that you are allowing a portion of your highest paying customers regret sticking with you over Plex. And with every day a thread like this goes unanswered, that group of users grows. 

Edited by Magic815
  • Like 2
Link to comment
Share on other sites

Dibbes

Last time I checked I wasn't Untoten either, but I would really love to see this. It's not my highest priority though, as I'd love to get the eBooks/Comics and a few issues first, but yes, it's fairly high up there :)

 

Once these things are fixed, I'll probably go ahead and either get a 2nd server subscription or a 25 device plus license if the multi-server request is finally implemented.

Edited by Dibbes
  • Like 2
Link to comment
Share on other sites

Untoten

Last time I checked I wasn't Untoten either, but I would really love to see this. It's not my highest priority though, as I'd love to get the eBooks/Comics and a few issues first, but yes, it's fairly high up there :)

 

Once these things are fixed, I'll probably go ahead and either get a 2nd server subscription or a 25 device plus license if the multi-server request is finally implemented.

While I do not think they should charge 25 a device, cause that would suck lol.  I too, will donate.  I said $1000 originally if it is implemented, but depends how many years it will take.  But I will donate a large amount if they do this, it is critical to me.

  • Like 1
Link to comment
Share on other sites

otispresley

There are obviously quite a few users wanting this feature. In fact, Emby is the only thing on my network that I cannot use AD to sign into. I use it to log into my router, switch, Windows Server, PC's and shares, Linux server, and Nextcloud.

 

Out of curiosity, why is this not a higher priority with all the support it is getting? Is it a code issue that requires significant change to the authentication module, or something else? The change should just be server side as the clients do not need to know how they are being authenticated by the server.

  • Like 1
Link to comment
Share on other sites

Dibbes

There are obviously quite a few users wanting this feature. In fact, Emby is the only thing on my network that I cannot use AD to sign into. I use it to log into my router, switch, Windows Server, PC's and shares, Linux server, and Nextcloud.

 

Out of curiosity, why is this not a higher priority with all the support it is getting? Is it a code issue that requires significant change to the authentication module, or something else? The change should just be server side as the clients do not need to know how they are being authenticated by the server.

 

It's a little more complicated than that. Next to the modification to the server itself, all the apps need to be modified and adapted and the Emby-Connect part is going to have to be rewritten entirely... it's not something that you can implement in a week or two.

Edited by Dibbes
  • Like 1
Link to comment
Share on other sites

Untoten

It's a little more complicated than that. Next to the modification to the server itself, all the apps need to be modified and adapted and the Emby-Connect part is going to have to be rewritten entirely... it's not something that you can implement in a week or two.

That is not exactly true.  For instance, I do not use Emby connect, I use local users.  The only thing that the apps would need to change is the way it sends the password.  Right now, Emby apps send a hashed password as protection since SSL is not default.  But for those of us who have pushed SSL via reverse proxy tunnel this is not needed.  All the app would need to be changed to do is to have the ability to send the credentials plaintext based on the server's configuration/preferences.

 

Besides that, all the emby app knows it that is sent credentials and either received an OK response or a incorrect credentials response from the server.  The app does not know what the server does on the backend for authentication so it would be quite easy from a perspective of modifying the app.  

 

As for modifying the server, SAML2 is documented quite well and especially for the .NET version, would not be a very complex implementation.  

 

Obviously the server may take some debugging once it is developed with an LDAP/SAML2/HTTP Header auth connector, but the app will be quite simple.  My previous employer undertook implementing this connector on our flagship product and it took one developer 3 days to finish and debug.

Edited by Untoten
Link to comment
Share on other sites

Dibbes

And there we have the issue. I do use connect and then there is the VPN option for the Mac user and a Linux user in the family.

Also, didn't I read somewhere that SAML2 and .net core does not yet fully function, especially not with Linux servers?

Link to comment
Share on other sites

Untoten

And there we have the issue. I do use connect and then there is the VPN option for the Mac user and a Linux user in the family.

 

Also, didn't I read somewhere that SAML2 and .net core does not yet fully function, especially not with Linux servers?

Connect would be untouched, this would only need to effect local user auth.  There would be no reason to touch connect.

 

Please list it, I will read it, but the protocol is quite uniform so I would be surprised if that was anything more than a bug.  Every result I see seems to reflect a functional relationship:

https://www.google.com/search?q=saml2+.net&oq=saml2+.net&aqs=chrome..69i57j0l5.3282j0j7&sourceid=chrome&ie=UTF-8

Link to comment
Share on other sites

Dibbes

It would make things easier if .net core was now fully supported. I'm not up to date on this at all. I haven't run into this for a while, professionally speaking.

Link to comment
Share on other sites

The only thing that the apps would need to change is the way it sends the password.  Right now, Emby apps send a hashed password as protection since SSL is not default.  But for those of us who have pushed SSL via reverse proxy tunnel this is not needed.  All the app would need to be changed to do is to have the ability to send the credentials plaintext based on the server's configuration/preferences.

 

FYI - this part of the process is already in progress but we need to allow time for all apps to adjust.  But then, there is a lot more work that would have to be done on the server side.

  • Like 2
Link to comment
Share on other sites

Untoten

FYI - this part of the process is already in progress but we need to allow time for all apps to adjust.  But then, there is a lot more work that would have to be done on the server side.

The nice thing afterward is with users and auth standardized, it will make all user/auth FR's incredibly easy to scale and work with like groups etc.  

  • Like 2
Link to comment
Share on other sites

  • 2 weeks later...

I hope this is implemented at some point. Central user management is an amazing feature to have. I really want to keep the user&password combo the same across all the services I have. It also brings much more functionality like password complexity requirements, account lockout, group management, feature access and limitations, the list could go on and on.

 

I have not really looked at the code much or the side projects that start to get this ready. A plugin or server implementation would be great to bring this functionality.

 

Currently all my users are not allowed to view profile settings and I have made their passwords complex to avoid a security breach. I cannot let them have their own passwords as they can create anything right now.

 

Is there some way to allow LDAP auth from whatever devices would be easy to support and keep old apps on the basic login for compatibility? I know it is not the best practice for the long run but could it be an option?

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...