Quick Summary
So this is a quick tutorial to help folks out there on setting up immich single sign on (SSO) with authentik. Both are badass pieces of software btw. Check them out here if you don't know them:
Step #1 (instantiate apps)
I have created a git repo with the docker compose configurations so you can have both immich and authentik up and running for this tutorial. You can research on your own about the configuration aspects of each app thru docker compose, as for this tutorial goes I will only focus on integrating them both for your convenience AFTER they are up and running.
git clone it and follow the instructions on the readme file to spin up the app instances on your local environment.
Step #2 (initialize apps)
Now that we have both apps up and running we need to initialize them, that is create our admin users so we can configure them.
Let's start with immich, go ahead and open your browser and navigate to your immich web app which should be configured on port "1002" as I defaulted it on the git repo:
http://[YOUR_DOMAIN OR SERVER_IP_PLUS_PORT]/
# sample: http://127.0.0.1:1002/ -or- http://localhost:1002/ -or- https://photos.my-amazing-domain.com/
Follow the on screen steps in order to create the administrator user and such (I won't go into details about how to do this since the wizard shown on immich is awesome at guiding you thru):
OK we are done with immich for now and it's time for authentik.
Go to your browser and access authentik thru it's web interface, the port number I had configured on the git repo is "1001" so you will have to enter the following on your browser:
http://[YOUR_DOMAIN OR SERVER_IP_PLUS_PORT]/
# sample: http://127.0.0.1:1001/ -or- http://localhost:1001/ -or- https://auth.my-amazing-domain.com/
It will ask you for credentials, the default username is "akadmin", as for the password I have set it up to "dev123!" on the git repo. So enter those and continue.
Step #3 (configure Authentik)
Once inside authentik, go to "Admin Interface":
In there, go to "Applications" then "Providers" and finally click on "Create":
On the new provider screen, choose the OpenId provider and click next:
Choose a name for our provider (I choose "Photos-Provider" but you can call it "immich-Provider" if you want, I just felt "Photos" is better wording for the type of app we will add)
The system will fill in some data for you like:
- Client ID (make note of this one, we will need it later)
- Client Secret (make note of this one, we will need it later)
Pick authorization flow as "implicit" so that users don't need to consent (you can research this on authentik later)
enter the following on the redirect URIs (this is stated on the immich configuration docs: https://immich.app/docs/administration/oauth/)
app.immich:/
http://[YOUR_DOMAIN OR SERVER_IP_PLUS_PORT]/auth/login
http://[YOUR_DOMAIN OR SERVER_IP_PLUS_PORT]/user-settings
Leave the rest of the fields with their default values and hit "Finish" to create our new provider.
Great, we have our provider created now we need to create an application inside authentik which will in turn use our provider under scenes.
Go to "Application" then "Applications" and then "Create":
Choose a name for your app and pick our provider from the list, then hit save to create our app:
cool, now we have authentik fully configured for immich. But before we jump into immich we need to note some values (aside from the client id and client secret values I already told you to make note of).
Go to Providers and click on our Photos-Provider so that we can see more details:
then make note of the following values which we will need later:
- OpenID Configuration Issuer
NOTE: you will notice the URLs in there have "http://debian-tests.home.lan:1001" in them, that's because that is my configured test server. Yours will show something like http://127.0.0.1:1001/ -or- http://localhost:1001/ -or- https://auth.my-amazing-domain.com depending on your server/host/etc.)
Step #4 (configure immich)
Open your browser and navigate to your immich app and go to: Administration -> Settings -> OAuth Authentication. Then Enable it:
When you enable it, a bunch of settings are shown:
In here we will use our noted fields from before:
- OpenID Configuration Issuer
- Client ID
- Client Secret
Enter the values in the correct fields:
(note: then again, you will notice I am using http://debian-tests.home.lan:1001 but in your case will be something like http://127.0.0.1:1001/ -or- http://localhost:1001/ -or- https://auth.my-amazing-domain.com depending on your server/host/etc.)
Leave all the other fields with their default values and scroll down a little bit till you see these options:
Make sure auto register and auto lunch are both active. Auto register will create a new immich user if the incoming authentik user email does not exists on immich yet. Auto lunch will tell immich to always initiate the login process going to authentik instead of showing the immich login screen.
IMPORTANT:
Since auto lunch is enabled, immich won't ever ask you to login back again, it will redirect you to authentik so you can enter your credentials there.
So if you want to log back in with your immich Administrator account then you have to use the following URL:
http://debian-tests.home.lan:1002/auth/login?autoLaunch=0
(note: AGAIN, you will notice I am using http://debian-tests.home.lan:1002 but in your case will be something like http://127.0.0.1:1002/ -or- http://localhost:1002/ -or- https://photos.my-amazing-domain.com depending on your server/host/etc.)
This way, regular uses will always use authentik as their athentication provider and you (the super duper master administrator) can use immich's admin account to configure the immich app). So it's very important you save both the URL above and the immich administrator account (which should be the one account you created on step #2 for immich)
Step #5 (create your first user)
So now we have authentik and immich talking to each other and working with SSO.
Let's create our first user now.
Go to authentik's dashboard again and go to: Admin Interface -> Directory -> Users -> Create:
Enter your user info and save it:
Now, expand your user and set it's password:
IMPORTANT: And finally, log out of authentik because remember, you are using authentik admins account and we want to test using our new user's account:
Step #6 (cross fingers and test)
So we have everything configured and in place to start using immich and SSO with authentik.
Now let's try it out...
Open your browser and navigate to your immich's instance which should be:
http://[YOUR_DOMAIN OR SERVER_IP_PLUS_PORT]/
# sample: http://127.0.0.1:1002/ -or- http://localhost:1002/ -or- https://photos.my-amazing-domain.com/
Once you do that, you will notice you will be redirected to authentik:
In here, you are asked for your user. So use the account we created earlier on step #5 and then rejoice because everything just worked out fine!
Some Comments/Notes/etc.
I obviously didn't include a bunch of stuff like how do I configure groups in authentik so that certain users can access the photos app and some others don't. Or how do I configure authentik to talk to google, because I don't wan't to create accounts for all my family if they can just use their google accounts.
Well, just didn't have the time. But then again I mention it because it's possible and I do have that working on my own home-lab.
There are a lot of other stuff you can do with authentik so go ahead and research I suppose.
Anyways, I hope this was helpful to you, it was certainly helpful to me knowing how to set it up :P peace out!
Top comments (0)