SSO

Single Sign on is used to log into other services when you log into Organizr. You must be using the same username and password to log into Organizr as you would use to log into Plex, Ombi, Tautulli, ect.

Plex Backend

Settings / System Settings / Main / Authentication

Change the Authentication type to Organizr DB + Backend. Choose Plex as the Authentication Backend. Use the Retrieve button to fill in the Plex Token and Plex Machine.

The other two toggles are optional:

Type Purpose
Enable Plex oAuth This will bring up a Plex login screen that will flow credentials through plex.tv
Strict Plex Friends Enabling this option will only allow people from your friends list that have access to the server that you selected for Plex Machine

plex_backend.png

Plex

Settings / System Settings / Single Sign-On / Plex

Plex SSO will only with Plex reverse proxied as a subdirectory and not as a subdomain. Fill out the Plex Token and Plex Machine (They should already be filled in if you did the above step). You can use the retrieve buttons to fill these out. Toggle the enabled switch to turn it on.

plex_sso.png

Plex SSO doesn't work if Plex Reverse Proxy is a subdomain

To setup a /plex Reverse Proxy in Nginx, setup the location block like so:

location /plex/ {
  proxy_pass http://ip-of-plex:32400/;
  include /path/to/proxy.conf;
}
if ($http_referer ~ /plex/) {
  rewrite ^/web/(.*) /plex/web/$1? redirect;
}

Contents of proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_bind $server_addr;
proxy_buffers 32 4k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
proxy_hide_header X-Frame-Options;
# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_no_cache $cookie_session;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

Tautulli

Settings / System Settings / Single Sign-On / Tautullli

Fill out the URL for your Tautulli install (it can be the local IP or local DNS and port). Toggle the enabled switch to turn it on.

tautulli_sso.png

Tautulli Supports Multiple SSO instances

In order to use multiple instances of Tautulli you must set the Tautulli URL box using CSV (comma separated values)

Tautulli Tips

You first need to make sure that Allow Plex Admin & Allow Guest Access to Tautulli are enabled in the Web Interface portion of the Settings page.

To enable Tautulli SSO for your users, head to Tautulli Users page and click Edit mode and click the Lock Icon for each user you want to enable SSO for.

Ombi

Settings / System Settings / Single Sign-On / Ombi

Fill out the URL for your Ombi install (it can be the local IP or local DNS and port) and copy your API key from Ombi's settings to the Token box. Toggle the enabled switch to turn it on.

If you are doing a subdomain for Ombi, go to your tabs and set the Tab URL to:

Proxy Type URL
Subdomain (ombi.domain.com) https://ombi.domain.com/auth/cookie
Directory  (domain.com/ombi) https://domain.com/ombi

ombi_sso.png

Ombi Tips

Please make sure that you have the following options enabled in Ombi.

By enabling those options, your users under User Management should have the User Type as Plex User now.

Troubleshooting

In the drop down under your username in the top right there is an option for the Debug Area.  From here use the drop down at the top and choose the SSO option you are trying to troubleshoot.

enabled: false = SSO is not enabled. Go back to the SSO configuration and toggle the Enable switch
cookie: false = User cookie does not match. User most likely does not exist in Ombi. Add user or import Plex users.
url: false = The SSO URL is wrong.
api: false = The API key is wrong
backend: false = Plex Backend is not enabled

debug.png

Grafana

SSO with Grafana is a combination of reverse proxy configuration and some settings in grafana.ini or with environment variables.

For the reverse proxy you need to add the following:

auth_request /auth-X; #Change the X to whatever group you want to allow access
auth_request_set $auth_user $upstream_http_x_organizr_user;
proxy_set_header X-WEBAUTH-USER $auth_user;

Grafana.ini:

[auth.proxy]
enabled = true             
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
;ldap_sync_ttl = 60
whitelist = 172.27.1.131
;headers = Email:X-User-Email, Name:X-User-Name

Environment variables:

-e GF_AUTH_PROXY_ENABLED=true \             
-e GF_AUTH_PROXY_HEADER_NAME="X-WEBAUTH-USER" \
-e GF_AUTH_PROXY_HEADER_PROPERTY="username" \
-e GF_AUTH_PROXY_AUTO_SIGN_UP=true \
-e GF_AUTH_PROXY_LDAP_SYNC_TTL=60 \
-e GF_AUTH_PROXY_WHITELIST="172.27.1.131" \
-e GF_AUTH_PROXY_HEADERS="Email:X-User-Email, Name:X-User-Name"

You need to flip the enabled to true (it's disabled by default) and you should set the whitelist to the IP of your Organizr install so the header can only come from it. To read more about this, see Grafana's docs.

 

-DISCORD-CODE-BLOCK- Single Sign on is used to log into other services when you log into Organizr. You must be using the same username and password to log into Organizr as you would use to log into Plex, Ombi, Tautulli, ect.