Jellyfin, Authentik, DUO. 2FA solution tutorial.

[HazzaFTW28]

reddit version: https://www.reddit.com/r/selfhosted/comm..._tutorial/


This tutorial/ method is 100% compatible with all clients. Has no redirects. when logging into jellyfin via through any client, etc. TV, Phone, Firestick and more, you will get a notification on your phone asking you to allow or deny the login.
for people who want more of an understanding of what it does, here's a video: https://imgur.com/a/1PesP1D
The following tutorial will done using a Debain/Ubuntu system but you can switch out commands as you need.
This quite a long and extensive tutorial but dont be intimidated as once you get going its not that hard.
credits to:
LDAP setup: https://www.youtube.com/watch?v=RtPKMMKRT_E
DUO setup: https://www.youtube.com/watch?v=whSBD8YbVlc&t
Prerequisites:

• Have your a public DNS record set to point to the authentik server. im using auth.YourDomainName.com.
  
• a server to run you docker containers
  

Create a DUO admin account here: https://admin.duosecurity.com
when first creating an account, it will give you a free trial for a month which gives you the ability to add more than 10 users but after that you will be limited to 10.
Install Authentik.

• Install Docker:
  

sudo apt install docker docker.io docker-compose

• give docker permissions:
  

sudo groupadd docker
sudo usermod -aG docker $USER

logout and back in to take effect

• install secret key generator:
  

sudo apt-get install -y pwgen

• install wget:
  

sudo apt install wget

• get file system ready:
  

sudo mkdir /opt/authentik

sudo chown -R $USER:$USER /opt/authentik/
cd /opt/authentik/

• Install authenik:
  

wget https://goauthentik.io/docker-compose.yml
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
docker-compose pull
docker-compose up -d

Your server shoudl now be running, if you haven't mad any changes you can visit authentik at:
http://<your server's IP or hostname>:9000/if/flow/initial-setup/

• Create a sensible username and password as this will be accessible to the public.
  

configure Authentik publicly.
At this step i would recommend you have your authentik server pointed at your public dns server. (cloudflare). if you would like a tutorial to simlulate having a static public ip with ddns & cloudflare message me.

• Once logged in, click Admin interface at the top right.
  
• On the left, click Applications > Outposts.
  
• You will see an entry called authentik Embedded Outpost, click the edit button next to it.
  
• change the authentik host to: authentik_host: https://auth.YourDomainName.com/
  
• click Update
  

configure LDAP:

• On the left, click directory > users
  
• Click Create
  
• Username: service
  
• Name: Service
  
• click on the service account you just created.
  
• then click set password. give it a sensible password that you can remember later
  

• on the left, click directory > groups
  
• Click create
  
• name: service
  
• click on the service group you just created.
  
• at the top click users > add existing users > click the plus, then add the service user.
  

• on the left click flow & stages > stages
  
• Click create
  
• Click identification stage
  
• click next
  
• Enter a name: ldap-identification-stage
  
• Have the fields; username and email selected
  
• click finish
  

• again, at the top, click create
  
• click password stage
  
• click next
  
• Enter a name: ldap-authentication-password
  
• make sure all the backends are selected.
  
• click finish
  

• at the top, click create again
  
• click user login stage
  
• enter a name: ldap-authentication-login
  
• click finish
  

• on the left click flow & stages > flows
  
• at the top click create
  
• name it: ldap-athentication-flow
  
• title: ldap-athentication-flow
  
• slug: ldap-athentication-flow
  
• designation: authentcation
  
• (optional) in behaviour setting, tick compatibility mode
  
• Click finish
  

• in the flows section click on the flow you just created: ldap-athentication-flow
  
• at the top, click on stage bindings
  
• click bind existing stage
  
• stage: ldap-identification-stage
  
• order: 10
  
• click create
  

• click bind existing stage
  
• stage: ldap-authentication-login
  
• order: 30
  
• click create
  

• click on the ldap-identification-stage > edit stage
  

• under password stage, click ldap-authentication-password
  
• click update
  

allow LDAP to be queried

• on the left, click applications > providers
  
• at the top click create
  
• click LDAP provider
  
• click next
  
• name: LDAP
  
• Bind flow: ldap-athentication-flow
  
• search group: service
  
• bind mode: direct binding
  
• search mode direct querying
  
• click finish
  

• on the left, click applications > applications
  
• at the top click create
  
• name: LDAP
  
• slug: ldap
  
• provider: LDAP
  
• click create
  

• on the left, click applications > outposts
  
• at the top click create
  
• name: LDAP
  
• type: LDAP
  
• applications: make sure you have LDAP selected
  
• click create.
  

You now have an LDAP server. lets create a Jellyfin user and Jellyfin admin group.

Jellyfin users
jellyfin admins must be assigned to the user and admin group. normal user just assign to jellydin users

• on the left click directory > groups
  
• create 2 groups, Jellyfin Users & Jellyfin Admins. (case sensitive)
  
• on the left click directory > users
  
• create a user
  
• click on the user you just created and give it a password and assign it to the Jellyin User group. also add it to the Jellyfin admin group if you want
  

setup jellyfin for LDAP

• open you jellyfin server
  
• click dashboard > plugins
  
• click catalog and install the LDAP plugin
  
• you may need to restart.
  
• click dashboard > plugins > LDAP
  

LDAP bind

LDAP Server: the authentik servers local ip
LDAP Port: 389
LDAP Bind User: cn=service,ou=service,dc=ldap,dc=goauthentik,dc=io
LDAP Bind User Password: (the service account password you create earlier)
LDAP Base DN for searches: dc=ldap,dc=goauthentik,dc=io
click save and test LDAP settings
LDAP Search Filter:
(&(objectClass=user)(memberOf=cn=Jellyfin Users,ou=groups,dc=ldap,dc=goauthentik,dc=io))
LDAP Search Attributes: uid, cn, mail, displayName
LDAP Username Attribute: name
LDAP Password Attribute: userPassword
LDAP Admin Filter: (&(objectClass=user)(memberOf=cn=Jellyfin Admins,ou=groups,dc=ldap,dc=goauthentik,dc=io))

• under jellyfin user creation tick the boxes you want.
  
• click save
  

Now try to login to jellyfin with a username and password that has been assigned to the jellyfin users group.

bind DUO to LDAP

• In authentik admin click flows & stages > flows
  
• click default-authentication-flow
  
• at the top click stage binding
  
• you will see an entry called: default-authentication-mfa-validation, click edit stage
  
• make sure you have all the device classes selected
  
• not configured action: Continue
  

• on the left, click flows & stages > flows
  
• at the top click create
  
• Name: Duo Push 2FA
  
• title: Duo Push 2FA
  
• designation: stage configuration
  
• click create
  

• on the flow stage, click the flow you just created: Duo Push 2FA
  
• at the click stage bindings
  
• click create & bind stage
  
• click duo authenticator setup stage
  
• click next
  
• name: duo-push-2fa-setup
  
• authentication type: duo-push-2fa-setup
  
• you will need to fill out the 3 duo api fields.
  
• login to DUO admin: https://admin.duosecurity.com/
  
• in duo on the left click application > protect an application
  
• find duo api > click protect
  
• you will find the keys you need to fill in.
  
• configuration flow: duo-push-2fa
  
• click next
  
• order: 0
  

• click flows & stages > flows
  
• click ldap-athentication-flow
  
• click stage bindings
  
• click bind existing stage
  
• name: default-authentication-mfa-validation
  
• click update
  

LDAP will now be configured with DUO. to add user to DUO, go to the DUO

• click users > add users
  
• give it a name to match the jellyfin user
  
• down the bottom, click add phone. this will send the user a text to download DUO app and will also include a link to active the the user on that duo device.
  
• when in each users profile in DUO you will see a code embedded in URL. something like this;
  

https://admin-11111.duosecurity.com/user...8RY4R78Y13

• you want to copy that code on the end.
  
• in authentik navigate to flows & stages > stages
  
• find the duo-push-2fa slow you created but dont click on it.
  
• next to it there will be a actions button on the right. click it to bring up import device
  
• select the user you want and the map it to the code you copied earlier.
  

now whenever you create a new user, create it in authentik and add the user the jellyfin users group and optionally the jellyfin admins group. then create that user in duo admin. once created get the users code from the url and assign it to the user in duo stage, import device option.
i hope this helps someone and do not hesitate to ask for help.

[Jellyfenmo]

Thanks for taking the time to write this up! I was struggling with how to properly populate the LDAP Search Filter & this made it super easy.

[ballen]

Thanks for the writeup @HazzaFTW28, now that I'm about to make the switch from Plex to Jellyfin, I'm very excited to use this method this evening

[محمد أشرف]

First of all, thanks a lot @HazzaFTW28 for preparing tutorial and my question is can we configure user limit for certain time frame? Like 6 month user access. I'm now looking suitable hardware and plan to build one soon..

[Autchirion]

Thanks for taking the time to write this up! I was struggling with how to properly populate the LDAP Search Filter & this made it super easy.

Did you manage to get it running? Because for me it returns "Connect (Success); Bind (Success); Base Search (Found 0 Entities)" after clicking "Save and Test LDAP Server Settings". Also if I continue the process, it doesn't return any user/admin, any ideas? I followed the tutorial and did basically everything twice to make sure I didn't make a mistake in the first run.

[likwid101]

I had to change
"
in duo on the left click application > protect an application
find duo api > click protect
"

to
"
LDAP Proxy
"

as the Duo API is only for paying folks and I'm on the free version... but all else was left the same and it worked. Thanks so much for the write up!

[1simpleAtom]

While I am able to successfully connect Jellyfin to the LDAP server:

Code:

Connect (Success); Bind (Success); Base Search (Found 7 Entities)

I seem to be unable to find any users or admins:

Code:

Found 0 user(s), 0 admin(s)

I have gone over the LDAP search filter many times, but can't seem to find an error. Attached is a screenshot of my Jellyfin LDAP setup, should someone like to take a look.

---

edit:
Looking back through things, I noticed when I created the LDAP application provider and bound it to ldap-authentication-flow I was unable to assign a search group. The problem is, there is no option for me to do so.

---

solution:
The problem did in fact have to do with not having been able to assign the service account to the ldap-authentication-flow search group. On version 2024.8.3 of Authentik, this is now done after creating the LDAP application provider and going to the permissions tab and then Assign to a new user.

[BourbonDoc]

I know it's a bit like a needle in a haystack, but I've followed everything up through configuring LDAP in Jellyfin, but when I save and test it says "Connect: Connect error". I tried restarting Jellyfin to no avail. Any ideas?

[2024-10-11 13:45:16.515 -04:00] [WRN] [31] Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin: Ldap Test Failed to Connect or Bind to server
LdapException: Unable to connect to server https://[myip]:389 (91) Connect Error
System.Net.Sockets.SocketException (00000005, 0xFFFDFFFF): Name or service not known
  at System.Net.Dns.GetHostEntryOrAddressesCore(String hostName, Boolean justAddresses, AddressFamily addressFamily, Nullable1 startingTimestamp)
  at System.Net.Dns.<>c.<GetHostEntryOrAddressesCoreAsync>b__33_0(Object s, Int64 startingTimestamp)
  at System.Net.Dns.<>c__DisplayClass39_01.<RunAsync>b__0(Task <p0>, Object <p1>)
  at System.Threading.Tasks.ContinuationResultTaskFromTask1.InnerInvoke()
  at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
  at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
  at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
  at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)`

[TheDreadPirate]

The host firewall doesn't allow connections on that port?

[BourbonDoc]

Good thought! Unfortunately didn't work. I tried 389 as well as the webUI port for the port, as well as trying the domain name for the server address. I suspect I've got some sort of issue with what I'm putting as the IP.

LDAP Outpost is my verified domain, auth.x.x
LDAP server in Jellyfin is server IP
Port I've tried 389 and my webUI port

I can see a container running the LDAP with 389 published. I tried the container IP address as well and that didn't work.