-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration SAML
SAML configuration is managed via the REST API. The admin UI does not yet support SAML provider setup.
- SAML 2.0 support
- Document signing enabled
- Client signature not required
- Ability to set a redirect/ACS URI
- Role attributes included in SAML assertions
Register the following as the Assertion Consumer Service (ACS) URL in your identity provider:
https://<your-jellyfin-domain>/sso/SAML/p/<provider-name>
Send a POST request to:
POST /sso/SAML/Add/<provider-name>
Headers:
Authorization: MediaBrowser Token="<your-api-key>"
Content-Type: application/json
Request body:
{
"samlEndpoint": "https://your-idp.example.com/saml/metadata",
"samlClientId": "jellyfin",
"samlCertificate": "<base64-encoded-x509-certificate>",
"enabled": true,
"enableAuthorization": true,
"enableAllFolders": false,
"enabledFolders": [],
"adminRoles": ["jellyfin-admins"],
"preserveAdminPermissions": false,
"roles": ["jellyfin-users"],
"enableFolderRoles": false,
"enableLiveTvRoles": false,
"enableLiveTv": false,
"enableLiveTvManagement": false,
"liveTvRoles": [],
"liveTvManagementRoles": [],
"folderRoleMapping": []
}| Field | Type | Description |
|---|---|---|
samlEndpoint |
string | SAML metadata/binding endpoint URL |
samlClientId |
string | Service provider identifier (Entity ID) |
samlCertificate |
string | Base64-encoded X.509 certificate for signature validation |
enabled |
bool | Activates the provider |
enableAuthorization |
bool | Plugin manages user permissions on login |
enableAllFolders |
bool | Grants access to all libraries |
enabledFolders |
string[] | Library IDs to grant access to |
adminRoles |
string[] | SAML roles that grant admin privileges |
preserveAdminPermissions |
bool | When true, SAML can grant admin privileges but will not revoke admin from existing admins if an admin role is missing. Defaults to false. |
roles |
string[] | Required SAML roles to allow login (empty = allow all) |
enableFolderRoles |
bool | Enables role-to-folder mapping |
folderRoleMapping |
array | Array of { "role": "...", "folders": ["lib-id"] }
|
enableLiveTvRoles |
bool | Enables Live TV RBAC |
enableLiveTv |
bool | Live TV access by default |
enableLiveTvManagement |
bool | Live TV management by default |
liveTvRoles |
string[] | Roles granting Live TV viewing |
liveTvManagementRoles |
string[] | Roles granting Live TV management |
defaultProvider |
string | Auth provider to assign to new users |
schemeOverride |
string | URL scheme override for redirect URI |
portOverride |
int | Port override for redirect URI |
canonicalLinks |
object | Maps provider IDs to Jellyfin user IDs |
When enableAuthorization is enabled, administrator status is managed from adminRoles by default. If an existing administrator logs in and does not match an admin role, the plugin can revoke the administrator flag.
Set preserveAdminPermissions to true if you want SAML logins to elevate matching users to administrator but never demote accounts that are already administrators. This is useful when SAML role attributes can be missing or inconsistent, but it means SAML is no longer the strict source of truth for administrator removal.
Export the X.509 signing certificate from your identity provider. Remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers and all newlines. The result is the value for samlCertificate.
Example using OpenSSL:
openssl x509 -in idp-cert.pem -outform DER | base64 -w 0GET /sso/SAML/Get
Authorization: MediaBrowser Token="<your-api-key>"
GET /sso/SAML/Del/<provider-name>
Authorization: MediaBrowser Token="<your-api-key>"
Getting Started
Configuration
Providers
Reference
Development