Saying that the average user isn’t going to set up SSO is a bit disingenuous. Even if you’re not doing a full SAML setup, everyone in the modern day and age is familiar with the basic “Login with Google” button, which wouldn’t even require any additional setup on the part of the home admin. It adds a layer of security, reduction in the number of accounts that have to be maintained, password reset issues, etc. Also, don’t forget that this community are tech tinkerers by default, so the idea that they can’t or aren’t interested in securing their applications with SAML is a bit of a ridiculous assertion.
Personally, all of my other services are behind Cloudfront and have SAML auth in front of them facilitated by Cloudfront. However, Home Assistant is the ONE service I can’t make this work for, given the native apps and limitations that they have.
As per another authentication thread, how do I hand access to a supplier accessing my home?
The easy way is to add their OAUTH identifier, give it permissions to the front door and let them access it.
Not a massively specialist requirements.
Also works for letting guests access heating or room automation from their phone without needing me to manage their account.
I have been using Home Assistant for four years and additional security has never been on my radar. Especially SAML. I can’t imagine how the average home with Home Assistant would ever need or use it.
I’m the same way, to be honest. I can see the usefulness of Role Based Access Control, which is actually required for this to work as expected for some of the use cases mentioned in the thread, but not the need for SSO/SAML
SAML/oAuth would potentially be a MUCH safer way to allow 3rd party front ends to interact with the Home Assistant backend as well if there was a published API. Then you could authorize or deauthorize apps/integrations/frontends easily and those front ends would not need to directly handle any Home Assistant credentials.
I agree 100%, but this is WAY out of scope for the average HomeAssistant user.
Perhaps I am in a bubble, but what 3rd party front end could you be imagining?
There are a few projects on the go like desktop HA notification client, I have seen others try and implement AppleTV Apps etc etc… There are a hand full of custom front end but none authenticate securely they ether need direct MQTT access on the local network or front end the web page and pass credentials.
If you look at something like Plex, they have implemented single sign on (they do it via their cloud where I would prefer local), this allows apps like Tautulli to both securily connect with a token that can be seen and reset on the server but also allows you to sign in with your Plex account without Tautulli actually having your credentials.
If you have a substantial amount of self hosted services, maybe drop box alternatives, calendar etc, then having a common AUTH provider that Home Assistant can leverage or be the provider for would be very handy.
I my wife already hates using a password manager and always loves just being able to use ONE sign in for several apps. Same my kids are getting older, if home assistant started having actual permissions I would likely want sign ins for the whole family which is just more passwords for everyone.
It’s funny how I was about to create an account in the HA community forum just to add something to this topic… I got greeted with a login screen, one of the options was Login with GitHub (SSO) which I used without hesitation.
Nevertheless, I just want to add that I volunteer at a Church/Worship center facility and I work mainly on the IT infrastructure. I was setting up HA for the electricians, that also volunteer, so that they have a way to automate stuff (link lights blinds windows etc…).
We have a huge Infrastructure with more than 500 VMs running, mostly open-source stuff like mentioned in the above comments. Most of the exposed “Front-End” services have a Keaycloak server as their Identity Provider and everyone volunteering uses 1 username and 1 password + TOTP and other MFA.
Personally, I understand some comments stating that for homelab/simple home use, it is pretty normal and standard not to have an identity/authorization management (IAM) solution.
But at the same time I was hoping to enable OIDC to challenge my Keycloak server for ID and auth, because we have people come and go, having to create or disable a user account each time a technician needs is very frustrating.
We have a lot of services running on the frontend and people really appreciate and got used to, by getting greeted with the Keycloak login page.
I want my wife and other family members to have access to HA. If I can throw a “Sign in with Google/Apple” button on the login page this becomes an easy proposition.
I would also really like this to be a thing. Having one login across all services would be orders of magnitude easier. And I also agree that it becomes far easier for family and others to get accounts if they can just use their already exisiting services to authenticate.
Replying to my own thread using SAML / OATH would also make it MUCH easier for home assistant to integrate with both partner devices and services as it is extremely common these days.
IE locally HA would need to provide SAML /OAUTH for devices, and in the CLOUD SAML/OAUTH would allow home assistant to be authenticated to the service without the HA server needing the users credentials stored in plain text as MANY integrations currently do.
The reason many integrations use user credentials is because that’s all those services support. Home Assistant DOES provide Oauth support for some, like many of those provided by Google, for example.
Lack of SSO is the only reason I’m not exposing my instance to the web. I want all of my services to be hidden behind a hardened authentik or authelia etc… frontend.
That so much of HA depends on being able to connect to the host network, coupled with the level of control it has over my smart devices etc… makes it a huge vulnerability.
So, removing host networking (separate issue), and SSO is essential for me. I currently have my reverse proxy to redirect to authentik for authentication before being sent to HA, but SSO would be better still.
Roboform is the only password manager I am familiar with. My wife loves it because there is only one password to remember. If Roboform recognizes a website it will populate the login credentials for you.
Interesting that I found out that this feature is required for HA instance, running in my parents’ home. They are struggling from managing properly all these accounts they have to manage, constantly passwords getting lost/forgotten, constantly the mess happens with all of that.
It would be great for them to have only one account in some external system (even not local, like Gmail), so they won’t have any issues of utilizing one for using home appliances as well.