I use Pomerium! https://www.pomerium.com/docs

I use authelia. It’s pretty straight forward to get started with, I just use the yaml user file and a SQLite database for sessions. I’m running it in podman with auto updates enabled for the tag I’m using (can’t remember which tag, but not latest).

I then use their tutorials as a base for the systems I want to use oidc with (grafana, miniflux…), or just redirect traffic through my reverse proxy to services that lacks proper authentication (looking at you, *arr stack).

I use caddy and traefik for reverse proxy, and it’s very simple to use forward_auth and similar with it.

It took an evening to figure it out but it’s well worth it!

I’m using Authentik with openID or saml for all my sso. I don’t want to ever touch LDAP.

What I would dearly like is an SSO system that can also act as a drop-in replacement for Kerberos. Existing krb5 servers (on Linux) are ancient, quirky, and underdocumented, but kerberos is so useful at a CLI level. I’ve always maintained separate LDAP & Kerberos instances, and the thing stopping me from moving to something more modern is that I’m holding out for that kerberos feature…

Might not be quite what you want, but if you just need to block all access to everything unless logged in, then integrating a hosted SSO into your ingress is a simple, low management option.

I’ve been using an old trafeik setup with Google’s SSO, whitelisting certain accounts, and had no problems with it for years.