Skip to main content

Jellyfin

What is Jellyfin?

Jellyfin is the volunteer-built media solution that puts you in control of your media. Stream to any device from your own server, with no strings attached. Your media, your server, your way.

The following placeholders will be used:

  • tidecloak.company is the FQDN of the TideCloak install.
  • jellyfin.company is the FQDN of the Jellyfin install.

TideCloak Configuration

Log in as an admin to the TideCloak admin console at https://tidecloak.company and follow these steps:

  1. Click on realm dropdown and select/create your realm. Assuming realm myrealm for the purpose of this manual.
  2. On Clients menu -> Click the Create client button.
  3. Fill the *Client form:
    • Client type: OpenID Connect
    • Client ID: jellyfin-oidc
    • Press the Next button
    • Client authentication: On.
    • Authentication flow: standard flow
    • press the Next button
    • Root URL: https://jellyfin.company
    • Valid redirect URI: https://jellyfin.company/sso/OID/redirect/tidecloak
    • Web origins: https://jellyfin.company
    • press the Save button
  4. Still in the newly created client, make the following changes under the Credentials tab:
    • Client Authenticator: Client ID and secret
    • Client Secret: [Client-Secret] (copy that secret and make a note of it for later)
  5. Under the Roles tab:
    • Create role button -> Role name: jf-user -> Save button
    • Create role button -> Role name: jf-admin -> Save button
  6. Under the Client scopes tab -> jellyfin-oidc-dedicated link -> Add mapper dropdown -> By configuration option -> User client role option:
    • Name: jf-client-role
    • Client ID: jellyfin-oidc
    • Multivalued: ON
    • Token Claim Name: jfrole
    • Add to ID token: ON
    • Add to access token: ON
    • Add to userinfo: ON
    • Press the Save button

Assign jellyfin roles to users

Use either of these two options:

  1. Automatically, on registration. E.g. assign Jellyfin user role automatically to all new realm users:
    • Realm settings menu -> Login tab -> User registration: On
    • Realm settings menu -> User registration tab -> Assign role button -> jf-user role
  2. Manually, by admin. E.g. assign Jellyfin admin role to user Bob:
    • Users menu -> User list tab -> [Bob] link -> Role mapping tab -> Assign role button -> jf-admin role

Verify your TideCloak configuration

Go to Clients menu -> jellyfin-oidc link -> Client scopes tab -> Evaluate sub-tab -> Users: Bob dropdown -> Generate access token link
Review the JWT for Bob to have the following section:

"jfrole":[
  "jf-admin"
]

Jellyfin Configuration

Log in to Jellyfin as an admin via https://jellyfin.company/ and follow these steps:

Install plugin

  1. Go to Jellyfin's Dashboard page -> Plugins menu -> Catalog (https://jellyfin.company/web/index.html#/dashboard/plugins/catalog)
  2. Add a New Repository by clicking the gear icon in the top left, then click the + sign and fill:
    • Repository name: SSO-Auth
    • Repository URL: https://raw.githubusercontent.com/9p4/jellyfin-plugin-sso/manifest-release/manifest.json
    • Press the SAVE button
  3. Go back back to go to the Catalog tab (https://jellyfin.company/web/index.html#/dashboard/plugins/catalog)
  4. Under Authentication Provider, click and install the SSO Authentication plugin of the most recent version
  5. Restart the Jellyfin server on the Dashboard (https://jellyfin.company/web/index.html#/dashboard) -> Restart button
  6. Go back to the Plugin tab (https://jellyfin.company/web/index.html#/dashboard/plugins)
  7. Select the SSO-Auth plugin (https://jellyfin.company/web/index.html#/configurationpage?name=SSO-Auth) and fill out the Provider Configuration:
    • Name of OID Provider: tidecloak
    • OID Endpoint: https://tidecloak.company/realms/myrealm/.well-known/openid-configuration
    • OpenID Client ID: jellyfin-oidc (Identical Client ID from the TideCloak provider)
    • OID Secret: [Client Secret] (from the note taken previously)
    • Enabled: CHECKED
    • Enable Authorization by Plugin: CHECKED
    • Enable All Folders: CHECKED
    • Roles: jf-user
    • Admin Roles: jf-admin
    • Role Claim: jfrole
    • Press the Save button at the bottom
  8. Go to the General settings (https://jellyfin.company/web/index.html#/dashboard/settings)
  9. In the Branding section -> Login disclaimer field:
<form action="https://jellyfin.company/sso/OID/start/tidecloak">
  <button class="raised block emby-button button-submit">
    Sign in with Tidecloak
  </button>
</form>

(make sure to change the url at the top)


  1. In the Branding section -> Custom CSS code field:
a.raised.emby-button {
    padding:0.9em 1em;
    color: inherit !important;
}

.disclaimerContainer{
    display: block;
}
  1. Click Save at the bottom and restart the server.

You can now sign in to Jellyfin at https://jellyfin.company using TideCloak using the newly added "Sign in with TideCloak" button.

Debugging

If you have problems, check your logs under Administration page -> Dashboard menu -> Logs item (https://jellyfin.company/web/index.html#/dashboard/logs) and helpful entries will be near the bottom with Jellyfin.Plugin.SSO_Auth at the start of the lines you are looking for.