User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
services:immich [2025/02/24 10:23] – [SSO authentication setup] willyservices:immich [2025/03/13 14:41] (current) – [Installation] willy
Line 18: Line 18:
 Immich needs to be installed using a docker compose file. This is the official and only supported installation method. I will show you, of course, how to run it rootless with podman. Immich installation is detailed [[https://immich.app/docs/install/docker-compose|here]], and i suggest you take a look at. Immich needs to be installed using a docker compose file. This is the official and only supported installation method. I will show you, of course, how to run it rootless with podman. Immich installation is detailed [[https://immich.app/docs/install/docker-compose|here]], and i suggest you take a look at.
  
-I assume you have already created the photo user and group (see [[services:photomanagement|here]], but in case you didn't, here you go:+I assume you have already created the photo user and group (see [[selfhost:photomanagement|here]], but in case you didn't, here you go:
 <code bash> <code bash>
 useradd -d /data/daemons/photos photos useradd -d /data/daemons/photos photos
Line 116: Line 116:
 Immich support direct integration with [[selfhost:sso|Authelia SSO]], specific instructions can be found [[https://www.authelia.com/integration/openid-connect/immich/|on this page]]. Immich support direct integration with [[selfhost:sso|Authelia SSO]], specific instructions can be found [[https://www.authelia.com/integration/openid-connect/immich/|on this page]].
  
-First of all, you need to configure Authelia with a new: +First of all, you need to configure Authelia with a new client:
 <code> <code>
 identity_providers: identity_providers:
Line 124: Line 123:
     ## See: https://www.authelia.com/c/oidc     ## See: https://www.authelia.com/c/oidc
     clients:     clients:
-      - client_id: 'immich'+      - client_id: << see below to generate ClientID >>
         client_name: 'immich'         client_name: 'immich'
-        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.+        client_secret: << see below to generale ClientSecret >>
         public: false         public: false
-        authorization_policy: 'two_factor'+        authorization_policy: 'one_factor'
         redirect_uris:         redirect_uris:
-          - 'https://immich.example.com/auth/login' +          - 'https://immich.mydomain.com/auth/login' 
-          - 'https://immich.example.com/user-settings'+          - 'https://immich.mydomain.com/user-settings'
           - 'app.immich:///oauth-callback'           - 'app.immich:///oauth-callback'
         scopes:         scopes:
Line 144: Line 143:
 authelia crypto rand --length 72 --charset rfc3986 authelia crypto rand --length 72 --charset rfc3986
 </code> </code>
 +This information will need to copied to both authelia config and immich settings.
  
 To generate a Client Secret: To generate a Client Secret:
Line 149: Line 149:
 authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
 </code> </code>
 +Please note **both** the hash and the password itself! You will need the password itself in the next step.
 +
 +Then you need to configure Immich to use Authelia SSO, so go to //Immich web gui → administration → settings → Authentication settings// and enter the following information:
 +  * Issuer URL: https://auth.example.com/.well-known/openid-configuration.
 +  * Client ID: << the generated ClientID >>.
 +  * Client Secret: insecure_secret.
 +  * Scope: openid profile email.
 +  * Button Text: Login with Authelia.
 +  * Auto Register: Enable if desired.
 +
 +
  
  

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information