Quick Start

Quick Start

This guide walks you through the minimum steps to get SSO login working with an OpenID Connect provider.

Prerequisites

• Plugin installed and Jellyfin restarted (see Installation)
• An OIDC-compatible identity provider with:
  • A client ID and client secret
  • A .well-known/openid-configuration discovery endpoint
  • Ability to configure a redirect URI

Step 1: Configure the Redirect URI in your IdP

Add the following URL as an allowed redirect URI in your identity provider:

https://<your-jellyfin-domain>/sso/OID/redirect/<provider-name>

Replace <provider-name> with whatever name you will give the provider (e.g. authelia, keycloak, google).

Step 2: Add the Provider in Jellyfin

1. Go to Administration → Plugins → SSO Authentication → Settings.
2. Scroll to Provider Identity and fill in:
   • Provider Name: the same name used in the redirect URI
   • OpenID Endpoint: base URL exposing /.well-known/openid-configuration
   • Client ID and Client Secret
3. Under Access Defaults:
   • Check Enabled
   • Check Enable All Folders to grant access to all libraries
4. Click Save.
5. Restart Jellyfin.

Step 3: Add the Login Button to the Jellyfin Web UI

Edit your Jellyfin web config file (config/web/config.json) and add a custom menu link:

{
  "customLinks": [
    {
      "name": "Sign in with SSO",
      "url": "/sso/OID/start/<provider-name>",
      "icon": "lock"
    }
  ]
}

Users can now click Sign in with SSO on the Jellyfin login page.

Step 4: Test the Login

Open a browser in private/incognito mode and navigate to your Jellyfin instance. Click the SSO link and complete the authentication on your identity provider. You should be redirected back to Jellyfin and logged in automatically.

Next Steps

• Configure RBAC (role-based access)
• Configure account linking
• Provider-specific guides