12 votes

What unified login to use?

I'm setting up a server with nextcloud, plex, matrix and some other things I don't yet know, for some friends and family, (about 20 people if I get lucky)
and now I heard of a thing called single sign on/unified login. (Login to different services with the same user/pw and/or login once, access to all services)

so far I found out about Keycloak https://en.wikipedia.org/wiki/Keycloak

is this what I'm looking for? does anybody have experience in this? Are there other/better/simpler solutions for this?

15 comments

  1. [7]
    Adys
    Link
    Keycloak is very reliable, we use it for Arch Linux internally (we're moving old services to it slowly; our gitlab instance already uses it). For personal self hosting it's super overkill though,...

    Keycloak is very reliable, we use it for Arch Linux internally (we're moving old services to it slowly; our gitlab instance already uses it).

    For personal self hosting it's super overkill though, and with a similar vibe as "don't do email yourself", I'd say "don't do auth yourself": just use GSuite or Auth0. Especially since you're not just doing this for yourself, you're doing it for other people too…

    It is "nimble enough" for a home lab (@undu) if you really need SSO. But I question the methodology of anyone who ends up in the situation that they need to use it for personal purposes (as opposed to providing a large service).

    To put it mildly, auth is complex. I've dealt with it a lot and I'm happy to elaborate if you have more specific questions. I would advise against providing an auth service to other people right now if you're just finding out about what SSO is.

    12 votes
    1. [4]
      Don_Camillo
      Link Parent
      thank you for your answer. part of the whole idea is to have and give a local alternative to the big datasilos, so gsuite is out of question. And looking just now at AuthO which belongs to a 6...

      thank you for your answer. part of the whole idea is to have and give a local alternative to the big datasilos, so gsuite is out of question. And looking just now at AuthO which belongs to a 6 billion US company does not instill good feelings either :-)
      Is there a free/libre alternative? I would prefer having no SSO at all than use one of these two. what do you think about using the built in solutions of every service? its a lot less confortable but it seems i can fuck up a lot less.
      And yes, i dont do email myself, i let migadu do it for me. as that is to critical of an infrastructure.

      3 votes
      1. [3]
        Adys
        Link Parent
        If you consider email to be critical infra, you should consider auth to be even more critical :) No SSO is a fine solution to your dilemma. Mind you that auth0 and gsuite are business offerings,...

        If you consider email to be critical infra, you should consider auth to be even more critical :)

        No SSO is a fine solution to your dilemma. Mind you that auth0 and gsuite are business offerings, they don't just share/resell user data for the fuck of it. They're excellent, high quality SSO providers imo.

        2 votes
        1. [2]
          Don_Camillo
          Link Parent
          yes i know, but i can live without nextcloud &co for a pretty long while, I cant without email. I mean on my nextcloud is more sensitive data but not having acces to my email would really really...

          yes i know, but i can live without nextcloud &co for a pretty long while, I cant without email. I mean on my nextcloud is more sensitive data but not having acces to my email would really really hurt my life :-) but yes, in the end, i want to learn these things, and the only way to learn it is to do it i guess.

          But i will look more troughly into the gsuite/oauth offerings, as i might have some misconceptions there

          1 vote
          1. Adys
            Link Parent
            For learning purposes please go right ahead :) Just be wary of exposing this to other users than you. You get auth wrong = people get into your account, you get locked out / lock others out of...

            For learning purposes please go right ahead :) Just be wary of exposing this to other users than you.

            You get auth wrong = people get into your account, you get locked out / lock others out of accounts, passwords leak, etc. There's a much worse potential than getting email wrong.

            4 votes
    2. [2]
      undu
      Link Parent
      I'm all for self-hosting services because I don't want to depend on the internet for some things. This means necessarily a self-hosted identity provider. If the existing solutions are too complex...

      It is "nimble enough" for a home lab (@undu) if you really need SSO. But I question the methodology of anyone who ends up in the situation that they need to use it for personal purposes (as opposed to providing a large service).

      I'm all for self-hosting services because I don't want to depend on the internet for some things. This means necessarily a self-hosted identity provider. If the existing solutions are too complex that means to me there is work to do to simplify those :)

      1 vote
      1. Adys
        Link Parent
        There's always the solution of not having an identity provider at all, but individual accounts for each service. My larger point is that these things use SAML or OAuth2/OIDC, and those are all...

        There's always the solution of not having an identity provider at all, but individual accounts for each service. My larger point is that these things use SAML or OAuth2/OIDC, and those are all easy to not get right, and dangerous to self-host (mostly due to their complexity, and need to really understand what you're doing/configuring).

  2. [3]
    Artemix
    Link
    I've never been able to find a reliable SSO system. The only road I take, for now, for self-hosted services central ID authentication is using client-side certificates or basic auth realm...

    I've never been able to find a reliable SSO system.

    The only road I take, for now, for self-hosted services central ID authentication is using client-side certificates or basic auth realm passwords. Sadly, not a lot of self-hosted web services support either.

    8 votes
    1. CedarMadness
      Link Parent
      Putting everything behind a reverse proxy and using client side certificates or hardware tokens is the most secure way, however this would not work if someone wants to use anything other than a...

      Putting everything behind a reverse proxy and using client side certificates or hardware tokens is the most secure way, however this would not work if someone wants to use anything other than a web browser e.g. use a Roku to log in to your plex server.

      1 vote
    2. Don_Camillo
      Link Parent
      thank you, i will look into that

      thank you, i will look into that

  3. undu
    Link
    I'm also looking for an openID connect / SSO solution for my home lab, I don't want to start creating account for every service I decide to use. Back when I worked around authentication for an...

    I'm also looking for an openID connect / SSO solution for my home lab, I don't want to start creating account for every service I decide to use.

    Back when I worked around authentication for an organization keybloack was recommended as the way to easily and configure an identity provider with SSO. I don't know if it's nimble enough for a home lab or it's more of an enterprise solution.

    3 votes
  4. [2]
    Pistos
    Link
    Personally, I avoid all SSO, and also use different email addresses for every site that needs an account. That way, my activities and personas across the Internet are less likely to be associated...

    Personally, I avoid all SSO, and also use different email addresses for every site that needs an account. That way, my activities and personas across the Internet are less likely to be associated and pooled into a single treasure trove of mineable data.

    3 votes
    1. AhOkNevermind
      Link Parent
      Moreover, if one of these services have a data breach, you only expose one email to potential spam,and you'll even know which service is at fault. Another positive aspect is that service providers...

      Moreover, if one of these services have a data breach, you only expose one email to potential spam,and you'll even know which service is at fault.
      Another positive aspect is that service providers exchange user information in order to build a more detailed profile of their users. You won't be affected if they only make associations on simple data points such as the email address or your name

      2 votes
  5. [2]
    jcdl
    Link
    I don't think it would work in this setting, but an LDAP-based cloud service like JumpCloud is tried and tested in the enterprise space. I set it up for a bunch of internal services at my last job...

    I don't think it would work in this setting, but an LDAP-based cloud service like JumpCloud is tried and tested in the enterprise space. I set it up for a bunch of internal services at my last job for about a dozen people.

    2 votes
    1. Don_Camillo
      Link Parent
      thank you for you answer. but it suffers the same/similar problem i mentioned above and i can never afford 5$ per user per month just for SSO :-/

      thank you for you answer. but it suffers the same/similar problem i mentioned above and i can never afford 5$ per user per month just for SSO :-/

      2 votes