Jellyfin OIDC Plugin Setup 2026: SSO with Authelia & Authentik (Step-by-Step)

Jellyfin OIDC Plugin Setup 2026: SSO with Authelia & Authentik

How to Enable OIDC (OpenID Connect) in Jellyfin

Jellyfin supports OIDC-based single sign-on through the jellyfin-plugin-sso community plugin. Once configured, your users authenticate via an external identity provider (Authelia, Authentik, Keycloak, or any OIDC-compliant IdP) and access Jellyfin without a separate password. This guide covers the full OIDC setup with both Authelia (lightweight) and Authentik (full-featured).

Jellyfin SSO with Authelia and Authentik (2026)

If you run Jellyfin alongside Radarr, Sonarr, Jellyseerr, Grafana, and other services, your users (and you) are juggling multiple passwords. Single Sign-On (SSO) lets everyone log in once and access everything.

This guide covers the two most popular self-hosted SSO solutions for Jellyfin in 2026.

What Is SSO and Why Does It Matter?

Single Sign-On means one login for all your services:

• Log in to Authelia/Authentik once
• Access Jellyfin, Jellyseerr, Radarr, Sonarr, Grafana - no re-authentication
• Centralized user management - add/remove users in one place
• Two-factor authentication (2FA) across all services
• Audit logs for every login attempt

Option 1: Authelia (Lightweight)

Authelia is a lightweight authentication server that sits behind your reverse proxy.

How it works

User → Reverse Proxy → Authelia (login) → Jellyfin

Authelia intercepts requests, checks authentication, and forwards authenticated users to the target service.

Docker Compose

services:
  authelia:
    image: authelia/authelia:latest
    volumes:
      - ./authelia/config:/config
    ports:
      - 9091:9091
    restart: unless-stopped

Authelia configuration for Jellyfin

# configuration.yml
access_control:
  default_policy: deny
  rules:
    - domain: jellyfin.yourdomain.com
      policy: one_factor
    - domain: radarr.yourdomain.com
      policy: two_factor
    - domain: sonarr.yourdomain.com
      policy: two_factor

identity_providers:
  oidc:
    clients:
      - id: jellyfin
        description: Jellyfin Media Server
        secret: your_client_secret_here
        redirect_uris:
          - https://jellyfin.yourdomain.com/sso/OID/redirect/authelia
        scopes:
          - openid
          - profile
          - groups

Jellyfin SSO Plugin

1. Install the jellyfin-plugin-sso from the plugin catalog
2. Configure OIDC provider:
   • Provider name: Authelia
   • OIDC endpoint: https://auth.yourdomain.com
   • Client ID: jellyfin
   • Client Secret: your secret
3. Users see a "Sign in with Authelia" button on the Jellyfin login page

Option 2: Authentik (Full-Featured)

Authentik is a more feature-rich identity provider with a polished admin UI, LDAP support, and advanced policies.

Docker Compose

services:
  authentik-server:
    image: ghcr.io/goauthentik/server:latest
    command: server
    environment:
      - AUTHENTIK_SECRET_KEY=your_secret_key
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=authentik_db_pass
      - AUTHENTIK_POSTGRESQL__NAME=authentik
    ports:
      - 9000:9000
      - 9443:9443
    restart: unless-stopped

  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    command: worker
    environment:
      - AUTHENTIK_SECRET_KEY=your_secret_key
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=authentik_db_pass
      - AUTHENTIK_POSTGRESQL__NAME=authentik
    restart: unless-stopped

  redis:
    image: redis:alpine
    restart: unless-stopped

  postgresql:
    image: postgres:16-alpine
    environment:
      - POSTGRES_USER=authentik
      - POSTGRES_PASSWORD=authentik_db_pass
      - POSTGRES_DB=authentik
    volumes:
      - ./authentik/db:/var/lib/postgresql/data
    restart: unless-stopped

Configure Authentik for Jellyfin

1. Open Authentik admin UI at https://your-server:9000/if/admin/
2. Applications → Create Application → Name: "Jellyfin"
3. Create an OAuth2/OIDC Provider:
   • Client ID: auto-generated
   • Redirect URI: https://jellyfin.yourdomain.com/sso/OID/redirect/authentik
   • Scopes: openid, profile, email
4. Install jellyfin-plugin-sso and configure with Authentik endpoints

Authentik advantages over Authelia

Protecting Your Entire Stack

Once SSO is configured, protect all services:

For services without native OIDC (Radarr, Sonarr), use your reverse proxy to enforce authentication via Authelia/Authentik before forwarding requests.

Heads-up on Jellyseerr / Seerr OIDC: As of 2026, OpenID Connect is not available in the stable Jellyseerr/Seerr image (the :latest tag, including Seerr 3.2.0). It only lives in a work-in-progress preview branch - historically tagged fallenbagel/jellyseerr:preview-OIDC, renamed preview-new-oidc after the Overseerr and Jellyseerr projects merged into Seerr. The feature is still unmerged and incomplete: notably there is no automatic account linking yet, so migrating existing local users can fail with a UNIQUE constraint failed: user.email error. Until OIDC ships in a stable release, either run the preview image or front Jellyseerr with reverse-proxy / forward-auth via Authelia or Authentik.

Two-Factor Authentication (2FA)

Both Authelia and Authentik support 2FA:

• TOTP (Google Authenticator, Authy)
• WebAuthn (hardware keys like YubiKey)
• Push notifications (Authentik only)

Enable 2FA for admin accounts at minimum. Consider requiring it for all users accessing services remotely.

FAQ

Does SSO replace Jellyfin user accounts? No. SSO creates a link between the external identity and a Jellyfin user. Jellyfin still manages its own user database.

Can I use SSO for the Jellyfin mobile app? The SSO plugin works with the web interface. Mobile app support depends on the client - some support OIDC redirect, others require direct Jellyfin credentials.

Is Authelia or Authentik better? Authelia for simplicity and low resource usage. Authentik for a full-featured identity platform with a web admin UI.

Does Jellyseerr support OIDC out of the box? Not in the stable release. OpenID Connect for Jellyseerr/Seerr is still a preview feature — you must run the preview-new-oidc image (formerly preview-OIDC). It is not in :latest or Seerr 3.2.0, and there is no automatic account linking yet, so existing users may need to be linked manually in the admin panel or you should disable "New user login" to avoid duplicate-account errors.

Can JellyWatch connect through SSO? JellyWatch connects directly to the Jellyfin API using standard credentials. SSO is primarily for web-based access.

Secure your entire media stack - then monitor it from your pocket. Download JellyWatch on Google Play - session monitoring, server health, and push alerts for your Jellyfin server on Android.

On Emby? Download EmbyWatch on Google Play - the same monitoring experience for Emby servers.