SSO across multiple domains with short URLs – best approach?

Support
, ,
1

What type of hardware are you using: VPS bought online
What YunoHost version are you running: 12.1.15.1
How are you able to access your server: The webadmin
SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: no, no tweaking, just perhaps not the typical DNS setup

Describe your issue

I want users to log in once and access all apps (true SSO) while keeping short, user‑friendly URLs like pad.mydomain.com instead of pad.apps.mydomain.com. I understand the usual/recommended way is to put everything under one parent (e.g., wiki.apps.mydomain.com, pad.apps.mydomain.com) but I don’t like that URL scheme and would prefer to keep the short domains. Currently, users must log in again per domain, which degrades the experience.

Context

  • I can’t use the apex mydomain.com in YunoHost because it hosts a separate main website elsewhere
  • Current public URLs:
    • apps.mydomain.com → portal (default)
    • wiki.mydomain.com → Wiki.js
    • pad.mydomain.com → HedgeDoc
  • Goal: working SSO across all apps while keeping short URLs like pad.mydomain.com and also working SSL certificates

Expected vs actual

  • Expected: Logging in at apps.mydomain.com should seamlessly authenticate wiki.mydomain.com and pad.mydomain.com
  • Actual: Each domain prompts for a separate login

What I understand so far

  • Cookie scope: Browser cookies are only shared within the same parent domain; YunoHost’s built‑in SSO works when all apps live under one parent like *.yunohost.mydomain.com
  • Redirects: 301/302 to a shared parent domain enable SSO but change the address bar to the canonical subdomain
  • Reverse proxy: Can keep pad.mydomain.com visible, but doesn’t solve cross‑base‑domain cookie sharing for SSO
  • External IdP: Using Keycloak/Authentik (OIDC/SAML) could provide cross‑domain SSO, but it’s more complex and not built‑in

Questions

  1. Is there any official/built‑in way in YunoHost to keep vanity domains like pad.mydomain.com in the address bar and still benefit from SSO without moving everything under one parent domain?
  2. If not, what is the recommended approach?

Steps to reproduce

  1. Portal on apps.mydomain.com
  2. Apps on wiki.mydomain.com and pad.mydomain.com
  3. Log in at the portal; opening each app prompts another login

Thank you in advance for any guidance or best‑practice recommendations. Your help is much appreciated!

Share relevant logs or error messages

no relevant logs for this kind of problem

1 Like
2

Hi,

You can see your request is on the roadmap:

I can say that there are 4 main priorities currently:

  • trixie migration
  • packaging v3
  • oidc support (authelia replacing ssowat)
  • portal on subdomain and auth on crossdomain

So no, currently, we have not a good mechanism if your main website is external and your services hosted on subdomains. An easy workaround is to move the services onto another domain (for example xxx.mydomain.net if your website is mydomain.com).

3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.