ilia/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ansible/docs/guides/sso-selfhosted-matrix.md
ilia 0f34c51fc8
All checks were successful
CI / skip-ci-check (pull_request) Successful in 8s
Details
CI / lint-and-test (pull_request) Successful in 17s
Details
CI / secret-scanning (pull_request) Successful in 8s
Details
CI / dependency-scan (pull_request) Successful in 18s
Details
CI / ansible-validation (pull_request) Successful in 54s
Details
CI / sast-scan (pull_request) Successful in 29s
Details
CI / license-check (pull_request) Successful in 14s
Details
CI / vault-check (pull_request) Successful in 13s
Details
CI / container-scan (pull_request) Successful in 8s
Details
CI / sonar-analysis (pull_request) Successful in 8s
Details
CI / playbook-test (pull_request) Successful in 27s
Details
CI / workflow-summary (pull_request) Successful in 6s
Details
Complete homelab post-sprint: SSO docs, monitoring scripts, phase 0/1 closure. 
Consolidate sprint status into handoff docs, add Listmonk/Mattermost/Mailcow
and Vikunja SSO guides, Beszel alerts script, mattermost inventory, and
mark phases 0–1 complete with phase 2 backlog for edge Caddy and security.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-24 12:13:55 -04:00

2.5 KiB
Raw Blame History

Self-hosted SSO readiness (Authentik)

Which apps can use Authentik OIDC/SAML without a paid app license.

Cal.com — blocked (commercial)

Status: Deferred until a valid self-hosted enterprise license is in place.

The Cal UI at /settings/security/sso shows "This is a commercial feature" when CALCOM_LICENSE_KEY is missing or invalid. On LXC 210, the key in /opt/cal/.env is currently empty (length 0), so SSO cannot be configured in-app.

If you want native Cal OIDC later:

  1. Purchase / obtain a self-hosted license from Cal.com (sales or existing license).
  2. Set in /opt/cal/.env: 
    CALCOM_LICENSE_KEY=<your-key>
NEXT_PUBLIC_LICENSE_CONSENT=agree
  3. cd /opt/cal && docker compose up -d (compose already passes these vars).
  4. Complete cal-authentik-oidc.md — Authentik app cal-com is already provisioned.

Workaround without paying Cal: use local Cal password for admin; public booking at cal.levkin.ca/ilia/consult stays open. Optional later: Caddy + Authentik forward-auth only on /settings/* and /auth/* (does not integrate Cals “Login with SSO” button; more ops complexity). Not recommended until license path is ruled out.

Infra already done (harmless to keep): calsaml DB, SAML_* env vars, Authentik provider cal-com-oidc.

Phase 4 order (no Cal license required)

Wire these first — typical OSS OIDC, no extra license:

App OIDC/SAML Notes
Vikunja OIDC native Livevikunja-authentik-oidc.md; group homelab-users
Listmonk OIDC native Livelistmonk-authentik-oidc.md; v6.1.0+
Mattermost GitLab OAuth → Authentik mattermost-authentik-gitlab-oauth.md
Mailcow Generic-OIDC mailcow-authentik-oidc.md — test mailbox login
Umami Already LAN-only; no SSO needed
Vaultwarden Do not OIDC (break-glass)
n8n OIDC (if enabled) Check edition
Immich OIDC Phase 5; usually free in self-host
Outline OIDC/SAML Phase 8

Unlikely to need a commercial license for homelab SSO on the list above; always check each apps docs before assuming.

Related