WTH there is no SSO (SAML or oAuth)?

Saying that the average user isn’t going to set up SSO is a bit disingenuous. Even if you’re not doing a full SAML setup, everyone in the modern day and age is familiar with the basic “Login with Google” button, which wouldn’t even require any additional setup on the part of the home admin. It adds a layer of security, reduction in the number of accounts that have to be maintained, password reset issues, etc. Also, don’t forget that this community are tech tinkerers by default, so the idea that they can’t or aren’t interested in securing their applications with SAML is a bit of a ridiculous assertion.

Personally, all of my other services are behind Cloudfront and have SAML auth in front of them facilitated by Cloudfront. However, Home Assistant is the ONE service I can’t make this work for, given the native apps and limitations that they have.

As per another authentication thread, how do I hand access to a supplier accessing my home?
The easy way is to add their OAUTH identifier, give it permissions to the front door and let them access it.
Not a massively specialist requirements.
Also works for letting guests access heating or room automation from their phone without needing me to manage their account.

I have been using Home Assistant for four years and additional security has never been on my radar. Especially SAML. I can’t imagine how the average home with Home Assistant would ever need or use it.

I’m the same way, to be honest. I can see the usefulness of Role Based Access Control, which is actually required for this to work as expected for some of the use cases mentioned in the thread, but not the need for SSO/SAML

SAML/oAuth would potentially be a MUCH safer way to allow 3rd party front ends to interact with the Home Assistant backend as well if there was a published API. Then you could authorize or deauthorize apps/integrations/frontends easily and those front ends would not need to directly handle any Home Assistant credentials.

1 Like

I agree 100%, but this is WAY out of scope for the average HomeAssistant user.
Perhaps I am in a bubble, but what 3rd party front end could you be imagining?

There are a few projects on the go like desktop HA notification client, I have seen others try and implement AppleTV Apps etc etc… There are a hand full of custom front end but none authenticate securely they ether need direct MQTT access on the local network or front end the web page and pass credentials.

If you look at something like Plex, they have implemented single sign on (they do it via their cloud where I would prefer local), this allows apps like Tautulli to both securily connect with a token that can be seen and reset on the server but also allows you to sign in with your Plex account without Tautulli actually having your credentials.

If you have a substantial amount of self hosted services, maybe drop box alternatives, calendar etc, then having a common AUTH provider that Home Assistant can leverage or be the provider for would be very handy.

I my wife already hates using a password manager and always loves just being able to use ONE sign in for several apps. Same my kids are getting older, if home assistant started having actual permissions I would likely want sign ins for the whole family which is just more passwords for everyone.

1 Like

It’s funny how I was about to create an account in the HA community forum just to add something to this topic… I got greeted with a login screen, one of the options was Login with GitHub (SSO) which I used without hesitation.

Nevertheless, I just want to add that I volunteer at a Church/Worship center facility and I work mainly on the IT infrastructure. I was setting up HA for the electricians, that also volunteer, so that they have a way to automate stuff (link lights blinds windows etc…).

We have a huge Infrastructure with more than 500 VMs running, mostly open-source stuff like mentioned in the above comments. Most of the exposed “Front-End” services have a Keaycloak server as their Identity Provider and everyone volunteering uses 1 username and 1 password + TOTP and other MFA.

Personally, I understand some comments stating that for homelab/simple home use, it is pretty normal and standard not to have an identity/authorization management (IAM) solution.
But at the same time I was hoping to enable OIDC to challenge my Keycloak server for ID and auth, because we have people come and go, having to create or disable a user account each time a technician needs is very frustrating.

We have a lot of services running on the frontend and people really appreciate and got used to, by getting greeted with the Keycloak login page.

2 Likes

Something like oAUTH and token auth would also make “device” only type relationships easier as well.

IE you have a kiosk device you use YOUR credentials to initially set it up but it gets treated as a device with its own token IE no user account.

1 Like