-
Notifications
You must be signed in to change notification settings - Fork 0
Troubleshooting
Cause: The OIDC discovery endpoint is hosted on a different domain than the issuer in the token (common with Google).
Fix: Enable Do Not Validate OpenID Endpoints in the security-sensitive options.
Check:
- The redirect URI registered in the identity provider exactly matches
https://<jellyfin-domain>/sso/OID/redirect/<provider-name>, including scheme, port, and case. - The client secret in Jellyfin matches the one in the identity provider.
- The provider's
.well-known/openid-configurationendpoint is reachable from the Jellyfin server.
Cause: The identity provider does not support Pushed Authorization Requests.
Fix: Enable Disable Pushed Authorization in the security-sensitive options. This is commonly required for Authelia.
Check:
- Jellyfin logs for errors immediately after the redirect.
- The user's role in the identity provider matches a role listed in the Roles field. If Roles is empty, all users are allowed.
- The state parameter has not expired (the user must complete the SSO flow promptly).
Cause: Google uses the sub claim as the username, which is a numeric identifier.
Fix: Set Default Username Claim to email to use the Google email address as the username instead.
Fix: A Jellyfin server restart is required after every configuration change.
Cause: The plugin overwrites permissions on login when Enable Authorization by Plugin is checked. If Admin Roles does not include the user's role, IsAdministrator is set to false.
Fix: Add the user's role to Admin Roles, or log in with a local admin account and manually re-grant admin access, then correct the role configuration.
Check:
- Enable All Folders is checked, or the specific library is in Enabled Folders.
- If Enable Role-Based Folder Access is on, the user's role is mapped to the library in Folder Role Mapping.
- The library ID in the mapping is correct. Find IDs via
GET /Library/VirtualFolders.
Cause: This is expected when Enable Authorization by Plugin is checked, the plugin applies permissions fresh on every login.
Fix: If you want to manage permissions manually, uncheck Enable Authorization by Plugin.
Check:
- The user is logged into Jellyfin before visiting the linking page.
- The provider is listed and enabled in the plugin configuration.
- The redirect URI for linking is registered in the identity provider:
https://<jellyfin-domain>/sso/OID/redirect/<provider-name>.
Fix: Remove the existing link from the self-service linking page before adding a new one.
Check:
- The
samlCertificatevalue matches the current signing certificate of the identity provider. - The certificate is base64-encoded with no headers (
-----BEGIN CERTIFICATE-----) and no newlines. - The identity provider has Sign documents enabled and Client signature required disabled.
Fix:
- Restart Jellyfin, the
meta.jsonfile is read on startup. - Add the plugin repository to Jellyfin:
https://raw.githubusercontent.com/K0lin/jellyfin-plugin-sso/manifest-release/manifest.json
Cause: Jellyfin cannot find the installed plugin version in the registered repository catalog.
Fix: Add the plugin repository URL above to Jellyfin's repository list. If the installed version is newer than the latest in the catalog, the CI will include it in the next release.
Enable verbose logging in Jellyfin and look for lines prefixed with Jellyfin.Plugin.SSO_Auth. Authentication flows, role processing, and user creation events are all logged at the Information or Debug level.
To view active OIDC states (debug):
GET /sso/OID/States
Authorization: MediaBrowser Token="<api-key>"
Getting Started
Configuration
Providers
Reference
Development