You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Oct 23, 2025. It is now read-only.
Let's say that you want to use SSO for Home Assistant in the browser, but you also want to be able to use the Home Assistant app on your phone (that does not work with SSO). The logical solution is to expose two Home Assistant endpoints: once with SSO and once without.
The issue with this addon is that if there is no SSO in front of Home Assistant and you expose both endpoints with the same proxy, then anyone can insert the 'Remote-User' (or equivalent) header and be logged in without any password.
If you use traefik you can use a middleware to remove the 'Remote-User' (or equivalent) header from requests sent to one of the exposed Home Assistant endpoints.
Just a helpful tip:
Let's say that you want to use SSO for Home Assistant in the browser, but you also want to be able to use the Home Assistant app on your phone (that does not work with SSO). The logical solution is to expose two Home Assistant endpoints: once with SSO and once without.
The issue with this addon is that if there is no SSO in front of Home Assistant and you expose both endpoints with the same proxy, then anyone can insert the 'Remote-User' (or equivalent) header and be logged in without any password.
If you use traefik you can use a middleware to remove the 'Remote-User' (or equivalent) header from requests sent to one of the exposed Home Assistant endpoints.
Docker compose labels:
'homeassistantmobile' is the name of my traefik router without SSO.
'removeheader' is the name that I chose for the middleware.
Hope this helps someone.