Single Sign On with Authelia

I built a SSO system to protect some of my more sensitive sites and facilitate a consistent login experience. Now that I did the hard work of getting it working, it's ~~super~~fairly easy for me to do stuff like secure a knowledgebase site with a SSO login.

The platform is called Authelia and I have it running in a docker container like everything else these days.

There ~~pretty~~isn't ~~well~~much ~~configured~~visible ~~guacamole~~to ~~instance~~you ~~protected~~as bythe user aside from the initial Authelia login page and ~~2FA~~two-factor ~~now,~~prompt. Authelia sets cookies in your browser and is able to pass credentials between different Matt-Cloud services just like Google can go from Mail to Drive and whatnot without you needing to re-login each time. Authelia's user back-end is my Microsoft Active Directory domain, and I ~~have~~am ~~discovered~~then able to use the groups in AD to manage site permissions in Authelia. For you to manage your two-factor options in Authelia, you need a ~~slight issue. During the 2FA device registration the service will send an~~valid email ~~with a code to your email I have programmed~~address in ~~AD.~~Matt-Cloud. You can see your current email address on the SSPR under your My Account page at the top. If it's missing or wrong let me know and I'll fix it ~~up.~~up; I still haven't figured out how to let you manage your own email addresses.

I did notice a potential issue that popped up with my tesla email address at first. Along with the code to verify your email it had a button you could click to invalidate the code so it can't be used. The reason for this is in case your account is compromised it will give you a chance to prevent a successful email challenge. It seem that if the receiving email server likes to click on links as part of the spam filter, then the code will be invalidated before it can be used every time. I discovered this happening with a test account that sent these codes to my tesla.com email address. I think I've found a way to get around this by configuring the emails to be text-only; this way there is no box for the spam filter to click. I tested again with my tesla email address, and this time I was able to proceed past entering the code. TL/DR there was a bug with tesla email accounts that I think shouldn't happen anymore.