No video
Authelia on Proxmox - 2FA SSO with Nextcloud, Proxmox, Portainer Gitea OpenID Connect Single Sign On
Рет қаралды 22,205
Күн бұрынHow to Self-host Authelia in a Proxmox Container and use it as an OpenID Connect (OIDC) Identity Provider for 2FA Single sign On (SSO) with Nextcloud, Proxmox, Portainer or Gitea
#nextcloud #proxmox #sso #portainer #gitea #authelia #openid #oidc #selfhosted
The Github Repo is here: github.com/onemarcfifty/authe...
The blog article: www.onemarcfifty.com/blog/Aut...
0:00 Intro: SSO
01.38 How does that work?
03:36 Why Authelia?
04:33 Setup Steps (Overview)
05:30 Rudimentary Install
06:37 Adapt the Config
10:44 Register 2FA
11:44 Hide behind NGINX
12:34 add OpenIDC
14:22 OIDC: NextCloud
17:21 OIDC: Proxmox
19:44 OIDC: Portainer
21:56 OIDC: Gitea
23:33 What if OpenID is not supported?
25:39 Last Thoughts
26:39 Source Disclosure
KZbin: / onemarcfifty
Twitter: / onemarcfifty
Discord: / discord
Github: github.com/onemarcfifty
Patreon: / onemarcfifty
Blog: www.onemarcfifty.com
@OneMarcFifty Жыл бұрын
Correction: In the video I say that the container needs to be privileged. That’s not true. I am running it in an unprivileged container with no issues. Let me know your findings.
@mattmcmahon4240 Жыл бұрын
This guy has such a nice personality it’s so great when he makes a new video. Also the subject matter is interesting too.
@OneMarcFifty Жыл бұрын
Oh, that's so kind of you - thank you very much!
@goglea Жыл бұрын
Content like this is what we are all carving for 😅 Brilliant video, thank you very much for your efforts
@OneMarcFifty Жыл бұрын
Glad you enjoy it! Thank you
@PeterBatah 8 ай бұрын
In my quest to learn more about Authelia I have watched a multitude of YT videos. This presentation is by far one of the better ones. However, it is still a little advanced for me. Thank you for sharing your time and expertise with us. Much appreciated.
@ktoMod Жыл бұрын
You just saved my day (or week, or month). Amazing, super clear. Added 2FA to NextCloud, Proxmox, Proxmox Backup Server and all my portainers. Super!
@edwardvanhazendonk Жыл бұрын
Wow, this is awesome, thanks for sharing and combining all info available.
@OneMarcFifty Жыл бұрын
Many thanks Edward!
@JavierPerez-fq2fi Жыл бұрын
Amazing video Marc! thank you so much for sharing such great content like this.
@OneMarcFifty Жыл бұрын
Glad you enjoyed it! Thank you!
@pedrolourenco8565 4 ай бұрын
Thank you very much for your video, Marc! Super clear info!
@littlenewton6 Жыл бұрын
非常精彩!As one not familiar with Web, this video taught me a lot! I will pay more time on OAuth and HTTP header usage. Thank you, Mr. Marc.
@abdullahX001 Жыл бұрын
Subscribed... such a pleasant presenter!
@ukaszs5021 Жыл бұрын
Thank you Marc!
@OneMarcFifty Жыл бұрын
Hi Łukasz, my pleasure ;-)
@LampJustin Жыл бұрын
Awesome one Marc! Just enabled OIDC login into Kubernetes clusters provisioned by our KaaS platform. We use Keycloak, but Authelia is great, too! I just love the protocol, SSO all the things!
@OneMarcFifty Жыл бұрын
Many thanks - and - I totally agree ;-) When I started with my first authentication project, I used a simple TOTP plugin to ask for a second factor before crossing VLAN boundaries. I had evaluated Authelia but it didn't do OIDC at the time. It did take me some time however to get to grips with everything. Many thanks for sharing!
@LampJustin Жыл бұрын
@@OneMarcFifty yeah OIDC isn't easy to get started with... But once you understand those JWT tokens, by decoding them and seeing all those claims neatly put in a json array, it really started to make sense for me.
@diogomild Жыл бұрын
Very nice and through, thank you very much!!
@OneMarcFifty Жыл бұрын
Hi Diogo, you are welcome - I am glad you liked it ;-)
@RedVelocityTV 6 ай бұрын
This was such a professional class video
@lil_fix 11 ай бұрын
awesome thanks
@achraf3310 9 ай бұрын
Using Mobaexterm is easier to do the config of yaml file, because you will have SFTP at the same time ssh ... in other word, it's a life saver!
@yashkalavadia3792 10 ай бұрын
Good Video, helped a lot still have one question. I have xen orchestra that supports oidc and works as relying party, how do i configure this? any expert here
@alexs5588 Жыл бұрын
What a great information video, thank you! Would you ever consider creating a video regarding logging information in OpenWRT? Or, perhaps a video breaking-down DNSMASQ in OpenWRT? Thank you again.
@OneMarcFifty Жыл бұрын
Great suggestion! You mean a syslog server, right?
@alexs5588 Жыл бұрын
@@OneMarcFifty yes a syslog server. Thanks for all of your content
@Fulcanelli88 Жыл бұрын
@@alexs5588 Logs & FOSS ... and how far the smokey gun ended ? Winreg2
@jacobhenriksen2324 3 ай бұрын
If I already have an nginx reverse proxy in my network, do I want to use that one instead or stick to the nginx server in the container?
@verygoodbrother Жыл бұрын
Could you do the same for jellyfin? Especially so that we don't have to login twice.
@pbvdven2 Жыл бұрын
Thanks for the video. Can i ask you a question. Did you consider authentik and so yes why did you prefer authelia?
@OneMarcFifty Жыл бұрын
Not yet. I used authelia because I had examined it in the past and wanted to try the OpenID integration. I will have a look at authentik at some point in time though, especially w/r to the broader protocol support (SAML etc.). Are you using authentik?
@pbvdven2 Жыл бұрын
@@OneMarcFifty yes, just recently switched from authelia to authentik because broader protocol support i wanted it mainly for jellyfin and calibre web because it supported ldap in combination with openid. And it supports user sign up and users can easily manage there own accounts, 2fa devices and oauth connections to other providers like plex or google.
@lohphat Жыл бұрын
What a bout stolen browser sessions similar to what took down Linus Tech Tips KZbin channel? Once elevated session cookies were stolen by a trojan, YT doesn’t have a “invalidate all active sessions” to deauthorize the auth credentials.
@OneMarcFifty Жыл бұрын
Great question! I have been thinking about making a video on that issue for a while now. Essentially for good security you need to take the 3 P's into consideration: Products, Processes and People. I would ad a 4th one here: Providers. Certainly people need to be educated (close your browser sessions before doing e-Mail, delete your cookies etc.), Products need to answer the requirements (Avoid cross-app storage access, e.g. AppArmor or SELinux are answers for that). But the Providers need to do their homework as well. Like Linus said in his video - if someone wants to delete 100 or 1000 videos, asking for an OK would be acceptable ;-) Or if a session jumps from Germany to the US or anywhere else, then re-requesting auth should be OK. 2FA or SSO alone will NOT save you - also taking into consideration that you can reset a password or 2nd Factor over e-Mail - whoever controls your e-mail account can register freely. Sorry - long answer - but you are so spot on with your comment. There is a lot of misunderstanding in the 2FA area ;-) Many thanks for your question !
@neilcresswell6539 Жыл бұрын
Awesome, loved this. Neil@Portainer.
@OneMarcFifty Жыл бұрын
Hi Neil, many thanks!
Awesome Open Source
Рет қаралды 55 М.
OneMarcFifty
Рет қаралды 38 М.