User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
services:immich [2025/02/24 10:25] – [SSO authentication setup] willyservices:immich [2025/03/19 10:04] (current) – [SSO authentication setup] willy
Line 18: Line 18:
 Immich needs to be installed using a docker compose file. This is the official and only supported installation method. I will show you, of course, how to run it rootless with podman. Immich installation is detailed [[https://immich.app/docs/install/docker-compose|here]], and i suggest you take a look at. Immich needs to be installed using a docker compose file. This is the official and only supported installation method. I will show you, of course, how to run it rootless with podman. Immich installation is detailed [[https://immich.app/docs/install/docker-compose|here]], and i suggest you take a look at.
  
-I assume you have already created the photo user and group (see [[services:photomanagement|here]], but in case you didn't, here you go:+I assume you have already created the photo user and group (see [[selfhost:photomanagement|here]], but in case you didn't, here you go:
 <code bash> <code bash>
 useradd -d /data/daemons/photos photos useradd -d /data/daemons/photos photos
Line 116: Line 116:
 Immich support direct integration with [[selfhost:sso|Authelia SSO]], specific instructions can be found [[https://www.authelia.com/integration/openid-connect/immich/|on this page]]. Immich support direct integration with [[selfhost:sso|Authelia SSO]], specific instructions can be found [[https://www.authelia.com/integration/openid-connect/immich/|on this page]].
  
-First of all, you need to configure Authelia with a new: +First of all, you need to configure Authelia with a new client:
 <code> <code>
 identity_providers: identity_providers:
Line 126: Line 125:
       - client_id: << see below to generate ClientID >>       - client_id: << see below to generate ClientID >>
         client_name: 'immich'         client_name: 'immich'
-        client_secret: << see below to generale ClientSecret >>+        client_secret: << see below to generale ClientSecret, put the digest here >>
         public: false         public: false
         authorization_policy: 'one_factor'         authorization_policy: 'one_factor'
Line 144: Line 143:
 authelia crypto rand --length 72 --charset rfc3986 authelia crypto rand --length 72 --charset rfc3986
 </code> </code>
 +This information will need to copied to both authelia config and immich settings.
  
 To generate a Client Secret: To generate a Client Secret:
Line 149: Line 149:
 authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
 </code> </code>
 +Please note **both** the hash and the password itself! You will need the password itself in the next step.
 +
 +Then you need to configure Immich to use Authelia SSO, so go to //Immich web gui → administration → settings → Authentication settings// and enter the following information:
 +  * Issuer URL: https://auth.example.com/.well-known/openid-configuration.
 +  * Client ID: << the generated ClientID >>.
 +  * Client Secret: << the random password generated above, not the digest >>.
 +  * Scope: openid profile email.
 +  * Button Text: Login with Authelia.
 +  * Auto Register: Enable if desired.
 +
 +