SSO Settings:

${Help}

Note: Making changes to this configuration requires a restart of Jellyfin.
This plug-in is in early development, not all configuration options have been implented in the UI, for example, SAML provider configuration has not been implemented.
See the help page and roadmap for more information.
To allow users to manage their own SSO accounts, including linking SSO providers, and removing existing links, they need to visit the self service page .
You can use custom menu links to accomplish this.

0
The name used by Jellyfin to identify the OID provider.
If an OID provider with a matching name does not exist, a new provider with this name will be created.
If an OID provider with a matching name already exists, the settings for that provider will be updated.
The OpenID endpoint. Must have a .well-known path available.
The OpenID client ID, for this media server instance. This is configured on the OIDC provider to uniquely identify this Jellyfin instance.
The OpenID secret. Randomly generated & shared.
Determines if the plugin sets permissions for the user.
If false, the user will start with no permissions and an administrator will add permissions.
The permissions of existing users will not be rewritten on subsequent logins.
If enabled, all libraries will be accessible to any user that logs in through this provider.
Determines which libraries will be accessible to a user that logs in through this provider.
If "Enable All Folders" is checked, then this has no effect.
A list of roles, one role per-line to look for in the OpenID response.
If a user has any of these roles, then the user is authenticated. This validates the OpenID response against the claim set in "RoleClaim".
Leave blank to disable role checking.
A list of roles, one role per-line to look for in the OpenID response.
Like "Roles", but having any of the roles confers admin privilege.
If unset will not grant admin privileges.
Determines if user roles should be used to control library access.
Map roles (given by "Role Claim") to lists of libraries. If a user has a given role, they will have access to the corresponding libraries. If "Enable Role-Based Folder Access" is disabled, has no effect.
This is the value in the OpenID response to check for roles. The first element is the claim type, the subsequent values are to parse the JSON of the claim value. Use a "\." to denote a literal ".". This expects a list of strings from the OIDC server.
For Keycloak, it is realm_access.roles by default.
For Authelia, it is groups
Specify additional scopes to include in the OIDC request.
One scope per line, each line should contain a scope name to include in the OIDC request.
For some OIDC providers (For example, authelia), additional scopes may be required in order to validate group membership in role claim.
Leave blank to only request the default scopes.
The set provider then gets assigned to the user after they have logged in. If it is not set, nothing is changed. With this, a user can login with SSO but is still able to log in via other providers later.
A common option is Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider for the default provider.
The default username claim to use from OpenID by default. If it is not set, it defaults to preferred_username.