Single Sign On
Homarr supports multiple authentication options, from internal userbase (credentials), to LDAP (with Active directory support), and OIDC.
Auth configuration common variables
| Environment Variable | Description | Default Value |
|---|---|---|
| AUTH_PROVIDER | Select Which provider to use between credentials, ldap and oidc. Multiple providers can be enabled with by separating them with ,, (ex. AUTH_PROVIDER=credentials,oidc, it is highly recommended to just enable one provider). | credentials |
| AUTH_LOGOUT_REDIRECT_URL | URL to redirect to after clicking logging out. | --- |
| AUTH_SESSION_EXPIRY_TIME | Time for the session to time out. Can be set as pure number, which will automatically be used in seconds, or followed by s, m, h or d for seconds, minutes, hours or days. (ex: "30m") | "30d" |
- Credentials Provider
- LDAP provider
- OIDC provider
This is the default provider.
First user is created using the onboarding process and the rest can be created by this user (see user management)
This provider authenticates against an LDAP server.
Any user in LDAP server that signs in gets created in Homarr database.
Roles are fetched from LDAP groups. For this, you have to specify groups for admin and owner users.
Example Setup
In this setup we are using lldap. Install your server using docker or as a service.
Minimal configuration requires 4 env variables, LDAP URI, base, user and password for querying data.
There's more variables, but all have defaults corresponding to lldap defaults. These might need to be changed if you have different LDAP provider.
docker run ...
AUTH_PROVIDER="ldap"
AUTH_LDAP_URI="ldap://example.com:3890"
AUTH_LDAP_BASE="dc=example,dc=com" // Same as LLDAP_LDAP_BASE_DN
AUTH_LDAP_BIND_DN="uid=admin,ou=People,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD="adminpass" // Same as LLDAP_LDAP_USER_PASS
#Docker compose
version: x
services:
homarr:
environment:
AUTH_PROVIDER: ldap
AUTH_LDAP_URI: ldap://example.com:3890
AUTH_LDAP_BASE: dc=example,dc=com #Same as LLDAP_LDAP_BASE_DN
AUTH_LDAP_BIND_DN: uid=admin,ou=People,dc=example,dc=com
AUTH_LDAP_BIND_PASSWORD: adminpass #Same as LLDAP_LDAP_USER_PASS
In lldap, create a user and admin group, assign this user to admin group. You can log in using this user and he will be admin and owner.
Here is another example for Active Directory:
AUTH_LDAP_URI="ldap://ldap.abc.xyz:389
AUTH_LDAP_BASE="DC=abc,DC=xyz"
AUTH_LDAP_BIND_DN="CN=Administrator,CN=Users,DC=abc,DC=xyz"
AUTH_LDAP_BIND_PASSWORD="YourAdministratorPassword"
AUTH_LDAP_USERNAME_ATTRIBUTE="sAMAccountName"
AUTH_LDAP_USER_MAIL_ATTRIBUTE="userPrincipalName"
AUTH_LDAP_GROUP_CLASS="group"
AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE="member"
AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE="dn"
AUTH_LDAP_ADMIN_GROUP="Administrators"
AUTH_LDAP_OWNER_GROUP="Administrators"
AUTH_LDAP_SEARCH_SCOPE="sub"
AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG="(sAMAccountType=805306368)"
You can change the admin and owner groups to any group you have created. User mail attribute is set to userPrincipalName as it follows the right schema, but it is recommended to use real emails and the default 'mail' value.
Configuration
| Environment Variable | Description | Default value |
|---|---|---|
AUTH_LDAP_URI | URI of your LDAP server | --- |
AUTH_LDAP_BASE | Base dn of your LDAP server | --- |
AUTH_LDAP_BIND_DN | User used for finding users and groups | --- |
AUTH_LDAP_BIND_PASSWORD | Password for bind user | --- |
AUTH_LDAP_USERNAME_ATTRIBUTE | Attribute used for username | uid |
AUTH_LDAP_USER_MAIL_ATTRIBUTE | Attribute used for mail field | |
AUTH_LDAP_GROUP_CLASS | Class used for querying groups | groupOfUniqueNames |
AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE | Attribute used for querying group member | member |
AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE | User attribute used for comparing with group member | dn |
AUTH_LDAP_ADMIN_GROUP | Admin group | admin |
AUTH_LDAP_OWNER_GROUP | Owner group | admin |
AUTH_LDAP_SEARCH_SCOPE | Serach scopes between base, one and sub | base |
AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG | Extra arguments for user search filter (& based) | --- |
AUTH_LDAP_GROUP_FILTER_EXTRA_ARG | Extra arguments for user's groups search filter (& based) | --- |
This provider authenticates using OIDC protocol.
Users sign in using OIDC are created in Homarr.
Roles are fetched from group claims. For this, you have to specify groups for admin and owner users.
Example Setup
In this example we will be using Authelia.
You can use any setup, but the simplest is local. If using this configuration, note that by default user does have group admins but Homarr is looking for admin. You can fix it either in users_database.yml file or by setting AUTH_OIDC_ADMIN_GROUP in Homarr.
You also have to enable OIDC in Authelia.
Create a client for homarr. To generate client secret you can use authelia. This is an example config:
identity_providers:
oidc:
...
clients:
- id: homarr
secret: <secret_hash>
public: false
authorization_policy: one_factor
redirect_uris:
- https://example.com/api/auth/callback/oidc
- http://localhost:3000/api/auth/callback/oidc
scopes:
- openid
- groups
- profile
- email
userinfo_signing_algorithm: none
consent_mode: implicit # self hosted
In Homarr use following env variables.
AUTH_PROVIDER="oidc"
AUTH_OIDC_URI="https://auth.example.com"
AUTH_OIDC_CLIENT_SECRET="client_secret"
AUTH_OIDC_CLIENT_ID="homarr"
AUTH_OIDC_CLIENT_NAME="Authelia"
Configuration
| Environment Variable | Description | Default value |
|---|---|---|
AUTH_OIDC_URI | Issuer URI of OIDC provider without trailing slash (/) | --- |
AUTH_OIDC_CLIENT_ID | ID of OIDC client (application) | --- |
AUTH_OIDC_CLIENT_SECRET | Secret of OIDC client (application) | --- |
AUTH_OIDC_CLIENT_NAME | Display name of provider (in login screen) | OIDC |
AUTH_OIDC_ADMIN_GROUP | Admin group | admin |
AUTH_OIDC_OWNER_GROUP | Owner group | admin |
AUTH_OIDC_TIMEOUT | Timeout in milliseconds | 3500 |
AUTH_OIDC_AUTO_LOGIN | Automatically redirect to OIDC login | false |