SSO Details The SSO is handled by Authelia , and a lot of my configs are based on this page . It was pretty difficult to get this going, but now that it is I will give an overview of how it works. It is integrated with the proxy server so that when SSO protected domains are requested my proxy server hands the request off to Authelia for authentication. Authelia sets a cookie when you first log in, so if you've already logged in somewhere, it will just pass you through to the website. I also was able to cobble together OIDC integration with Authelia, and that is integrated with my audiobook site as well as this book stack site.  Here's a diagram of how the proxy, SSO, and containers interact. The  site items with ovals are the docker containers with open ports that the proxy server would normally forward unfettered. On sites that need SSO, I add a big pile of code to the custom part of the NPM site config that tells it to finish up with Authelia. Then, Authelia does it's stuff based on the config file. The  nope in the oval is the  forbidden page that you see when you are logged into SSO and try to access a site that Authelia says  nope to.  Here is Authelia's diagram of how they do stuff Here is my diagram of how it works on Matt-Cloud. For the terribly curious, here is a stripped out docker-compose.yaml and configuration.yml for authelia and the nginx configs. docker-compose.yaml services: authelia: container_name: authelia image: 'authelia/authelia' restart: always network_mode: bridge ports: - 9091:9091 volumes: - ./authelia-config:/config - ./authelia-secrets:/secrets authelia-redis: container_name: authelia-redis image: bitnami/redis:latest volumes: - ./authelia-redis:/bitnami/ environment: REDIS_PASSWORD: "lolwtfbbqlolwtfbbq" restart: always network_mode: bridge ports: - 6379:6379 authelia-db: image: postgres container_name: authelia-db restart: always network_mode: bridge volumes: - ./authelia-db:/var/lib/postgresql/data environment: POSTGRES_DB: authelia POSTGRES_USER: authelia POSTGRES_PASSWORD: lolwtfbbqlolwtfbbq ports: - 5432:5432   configuration.yml --- ############################################################################### # Authelia Configuration # ############################################################################### theme: dark jwt_secret: "lolwtfbbqlolwtfbbq" default_redirection_url: https://auth.domain.com/ server: host: 0.0.0.0 port: 9091 disable_healthcheck: false log: level: info totp: disable: false issuer: 'auth.domain.com' algorithm: 'sha1' digits: 6 period: 30 skew: 1 secret_size: 32 allowed_algorithms: - 'SHA1' allowed_digits: - 6 allowed_periods: - 30 disable_reuse_security_policy: false authentication_backend: ldap: address: 'ldap://pdc.domain.local:389' implementation: 'activedirectory' base_dn: 'OU=users,DC=domain,DC=local' users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0)) groups_filter: (&(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group)) group_name_attribute: cn mail_attribute: mail display_name_attribute: displayname user: 'CN=LDAP Service,OU=Service,OU=users,DC=domain,DC=local' password: 'lolwtfbbq' disable_reset_password: true access_control: ## just some simple example rules default_policy: deny rules: ## bypass rule - domain: - "auth.domain.com" policy: bypass - domain: - "*.domain.com" resources: - "^/api([/?].*)?$" policy: bypass ## 2fa domain - domain: - "2fa.domain.com" policy: two_factor subject: - "group:2FA-Users" # Normal protection - domain: - "secure.domain.com" policy: one_factor subject: "group:secure-users" session: name: authelia_session domain: domain.com same_site: lax secret: "lolwtfbbqlolwtfbbq" expiration: 30d inactivity: 1d remember_me_duration: 6M redis: host: 0.0.0.0 port: 6379 password: "lolwtfbbqlolwtfbbq" database_index: 0 maximum_active_connections: 10 minimum_idle_connections: 0 regulation: max_retries: 3 find_time: 10m ban_time: 12h storage: encryption_key: 'lolwtfbbqlolwtfbbq' postgres: address: 'tcp://0.0.0.0:5432' database: 'authelia' schema: 'public' username: 'authelia' password: 'lolwtfbbqlolwtfbbq' notifier: disable_startup_check: false smtp: username: authelia@domain.com password: "lolwtfbbqlolwtfbbq" host: mail.domain.com port: 587 sender: authelia@domain.com identifier: authelia.domain.local subject: "[Authelia] {title}" startup_check_address: user@domain.com disable_require_tls: false disable_html_emails: true tls: skip_verify: false minimum_version: TLS1.2 identity_providers: oidc: hmac_secret: lolwtfbbqlolwtfbbq # provide secure secret issuer_certificate_chain: | -----BEGIN CERTIFICATE----- lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq -----END CERTIFICATE----- issuer_private_key: | -----BEGIN PRIVATE KEY----- lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq lolwtfbbqlolwtfbbq -----END PRIVATE KEY----- access_token_lifespan: 1h authorize_code_lifespan: 1m id_token_lifespan: 1h refresh_token_lifespan: 90m enable_client_debug_messages: false enforce_pkce: public_clients_only cors: endpoints: - authorization - token - revocation - introspection allowed_origins: - https://*.domain.com # adjust to your url allowed_origins_from_client_redirect_uris: false clients: - id: domain-oidc description: domain secret: 'lolwtfbbqlolwtfbbq' # provide secure secret sector_identifier: 'auth.domain.com' public: false authorization_policy: one_factor # may use two_factor to enforce 2FA consent_mode: implicit pre_configured_consent_duration: 6m audience: [] scopes: - openid - groups - email - profile redirect_uris: # adjust to your domains - https://auth.domain.com/ - https://auth.domain.com/oauth2/callback - https://audiobooks.domain.com/oauth2/callback - https://audiobooks.domain.com/auth/login - https://audiobooks.domain.com/user-settings - https://audiobooks.domain.com - https://audiobooks.domain.com/auth/openid/callback grant_types: - refresh_token - authorization_code - implicit response_types: - code - id_token response_modes: - form_post - query - fragment userinfo_signing_algorithm: none nginx-server location / { set $upstream_authelia http://172.17.0.1:9091; # This example assumes a Docker deployment proxy_pass $upstream_authelia; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; # If behind a reverse proxy, forwards the correct IP, assumes you're using Cloudflare. Adjust IP for your Docker network. set_real_ip_from 172.17.0.0/16; set_real_ip_from 10.0.0.0/8; real_ip_header X-Forwarded-For; real_ip_recursive on; } nginx-client location /authelia { internal; set $upstream_authelia http://0.0.0.0:9091/api/verify; proxy_pass_request_body off; proxy_pass $upstream_authelia; proxy_set_header Content-Length ""; # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; client_body_buffer_size 128k; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 4 32k; send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; } location / { set $upstream_app $forward_scheme://$server:$port; proxy_pass $upstream_app; auth_request /authelia; auth_request_set $target_url https://$http_host$request_uri; auth_request_set $user $upstream_http_remote_user; auth_request_set $email $upstream_http_remote_email; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-User $user; proxy_set_header Remote-Email $email; proxy_set_header Remote-Groups $groups; error_page 401 =302 https://auth.domain.com/?rd=$target_url; client_body_buffer_size 128k; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; proxy_set_header Accept-Encoding gzip; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; set_real_ip_from 172.17.0.0/16; set_real_ip_from 10.0.0.0/8; real_ip_header X-Forwarded-For; real_ip_recursive on; }