Integrate with Emby
Support level: Community
What is Emby?
Emby is a media management and streaming platform for movies, TV shows, and music that allows you to organize and stream your personal media collection.
Preparation
The following placeholders are used in this guide:
emby.companyis the FQDN of the Emby installation.authentik.companyis the FQDN of the authentik installation.ldap.companyis the FQDN of the LDAP outpost.dc=company,dc=comis the Base DN of the LDAP provider.
An Emby Premiere subscription is required to use the official LDAP Authentication plugin.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
authentik configuration
To support the integration of Emby with authentik, you need to create an LDAP application/provider pair in authentik, create a service account, and expose the provider through an LDAP outpost.
Create an LDAP application, provider, and outpost in authentik
Follow the LDAP provider setup to create the LDAP application, provider, service account, and outpost.
Complete the service account creation and LDAP search permission steps for the account Emby uses to connect to LDAP.
When configuring the LDAP provider, set the following required settings:
- Base DN:
dc=company,dc=com - Certificate: select the certificate that Emby should trust for LDAPS.
- TLS Server Name:
ldap.company
If access to the authentik LDAP application is restricted, allow the LDAP service account access via the application's policy, group, or user bindings.
Create an Emby access group
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Directory > Groups.
- Click Create, set Name to
emby_users, and click Create. - Open the new group, click the Users tab, and click Add existing user to add the users who should have access to Emby.
Emby configuration
-
Log in to Emby as an administrator.
-
Click the cog icon in the upper-right corner to access the dashboard settings.
-
Navigate to the Plugins section and click Catalog at the top of the page.
-
Find and install the LDAP Authentication plugin. Restart Emby if prompted to complete the installation.
-
After installation, return to the plugins section and click the LDAP Authentication plugin to open its settings.
-
Configure the LDAP settings as follows:
- LDAP server address:
ldap.company - LDAP server Port number:
636 - Enable SSL: checked
- SSL certificate thumbprint (SHA1): paste the SHA1 fingerprint of the certificate selected on the LDAP provider. This value is shown in authentik under System > Certificates.
- Bind DN:
cn=ldap_service_account,ou=users,dc=company,dc=com - Bind credentials: enter the password for the LDAP service account.
- User search base:
dc=company,dc=com - User Search Filter:
(&(sAMAccountName={0})(memberOf=cn=emby_users,ou=groups,dc=company,dc=com))- To allow all users that the LDAP provider exposes, use
(&(objectClass=user)(sAMAccountName={0})).
- To allow all users that the LDAP provider exposes, use
- LDAP server address:
-
Click Save to apply your configuration.
Emby administrators sign in with Emby authentication instead of LDAP. Keep a local Emby administrator account available so you can access the server if LDAP is unavailable.
Configuration verification
To confirm that authentik is properly configured with Emby, open Emby, log out, and log back in using an authentik username and password. Logging in with an email address isn't supported, so use the username value from authentik.
If login fails, verify the LDAP search filter and check the Emby server logs for LDAP authentication errors.