User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
services:immich [2025/02/24 08:18] willyservices:immich [2025/03/19 10:04] (current) – [SSO authentication setup] willy
Line 18: Line 18:
 Immich needs to be installed using a docker compose file. This is the official and only supported installation method. I will show you, of course, how to run it rootless with podman. Immich installation is detailed [[https://immich.app/docs/install/docker-compose|here]], and i suggest you take a look at. Immich needs to be installed using a docker compose file. This is the official and only supported installation method. I will show you, of course, how to run it rootless with podman. Immich installation is detailed [[https://immich.app/docs/install/docker-compose|here]], and i suggest you take a look at.
  
-I assume you have already created the photo user and group (see [[services:photomanagement|here]], but in case you didn't, here you go:+I assume you have already created the photo user and group (see [[selfhost:photomanagement|here]], but in case you didn't, here you go:
 <code bash> <code bash>
 useradd -d /data/daemons/photos photos useradd -d /data/daemons/photos photos
Line 114: Line 114:
 ==== SSO authentication setup ==== ==== SSO authentication setup ====
  
-WIP+Immich support direct integration with [[selfhost:sso|Authelia SSO]], specific instructions can be found [[https://www.authelia.com/integration/openid-connect/immich/|on this page]]. 
 + 
 +First of all, you need to configure Authelia with a new client: 
 +<code> 
 +identity_providers: 
 +  oidc: 
 +    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. 
 +    ## See: https://www.authelia.com/c/oidc 
 +    clients: 
 +      - client_id: << see below to generate ClientID >> 
 +        client_name: 'immich' 
 +        client_secret: << see below to generale ClientSecret, put the digest here >> 
 +        public: false 
 +        authorization_policy: 'one_factor' 
 +        redirect_uris: 
 +          - 'https://immich.mydomain.com/auth/login' 
 +          - 'https://immich.mydomain.com/user-settings' 
 +          - 'app.immich:///oauth-callback' 
 +        scopes: 
 +          - 'openid' 
 +          - 'profile' 
 +          - 'email' 
 +        userinfo_signed_response_alg: 'none' 
 +</code> 
 + 
 +To generate a ClientID: 
 +<code bash> 
 +authelia crypto rand --length 72 --charset rfc3986 
 +</code> 
 +This information will need to copied to both authelia config and immich settings. 
 + 
 +To generate a Client Secret: 
 +<code bash> 
 +authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 
 +</code> 
 +Please note **both** the hash and the password itself! You will need the password itself in the next step. 
 + 
 +Then you need to configure Immich to use Authelia SSO, so go to //Immich web gui → administration → settings → Authentication settings// and enter the following information: 
 +  * Issuer URL: https://auth.example.com/.well-known/openid-configuration. 
 +  * Client ID: << the generated ClientID >>. 
 +  * Client Secret: << the random password generated above, not the digest >>. 
 +  * Scope: openid profile email. 
 +  * Button Text: Login with Authelia. 
 +  * Auto Register: Enable if desired. 
 +