Yes, I setup authentik and all my services already had accounts. Immich and next cloud included.
this post was submitted on 25 Jul 2025
18 points (95.0% liked)
Selfhosted
50142 readers
592 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I synced immich to authentik post deployment no issue, but I believe my email matched. I don't recall if I had to configure my user account ontop of the oauth settings or not, I believe it was smart enough to link the same email to the account.
If you are using a VM style deployment you could run a snapshot of the immich server ahead of time then just rollback if it fails. That's what I do for all services when changing stuff.
I don't have immich but nextcloud is no problem. You just add a field to each user in authentik and it maps to the existing user.
Your top priority should be "Are my backups good? / Can I trivially roll back any breaking changes?" If an account oopsie can permanently compromise your users' photos, then you have bigger problems to worry about.
But assuming your backups are good, there isn't much to worry about. I recommend you don't take my word for it and thoroughly read the documentation of each of the services you want to put behind Authentik, but in general, when a service is configured to use SSO, if a user with the same ID already exists on the target service, they are simply merged. The most common ID for this is the email associated with that user on both Authentik and the service. Worst case, if the ID doesn't match, you either get an error saying the user is invalid or you get a new user created on the target service.
I implemented authentik for my immich server just last week and I can confirm that Immich will merge the accounts as long as they have the same email address. My other services I had to configure to use email matching. Paperless-ngx needed an environment variable added to allow it, and Grafana I didn't even have a user created for myself, just used the default admin account.
Jellyfin doesn't support OIDC without a 3rd party plugin, so I haven't set that one up yet. I also don't use nextcloud, so can't comment on that.
I dont think Immich supports turning a normal account into an sso account, though it may be possible with manual database editing.