Identity-Aware Access
SSO, OIDC, and per-service authentication policies — control exactly who can reach each service through your tunnel.
Completed Part 1, running Pangolin instance
~45–60 minutes
SSO with OIDC, per-service auth policies, 2FA
In Part 1, we established an encrypted WireGuard tunnel from a RamNode VPS to your home network using Pangolin and Newt. Traffic is now encrypted in transit, but anyone who discovers your subdomain can still attempt to access your services. That's where Pangolin's built-in identity and access control layer comes in.
Unlike traditional setups that require bolting on a separate authentication proxy like Authelia or OAuth2 Proxy, Pangolin includes centralized SSO with role-based access control out of the box. In this guide, we'll configure Pangolin's built-in authentication, connect an external identity provider via OpenID Connect, create granular per-service access policies, and enable two-factor authentication.
How Pangolin Authentication Works
Pangolin operates as an identity-aware proxy. Every request that arrives at your VPS hits Traefik first, which routes it to Pangolin's auth middleware before forwarding to the backend service. This means authentication happens at the edge, before traffic ever enters the WireGuard tunnel to your home network.
Pangolin supports three authentication modes for each resource you expose:
| Mode | Behavior | Best For |
|---|---|---|
| Platform SSO | Requires login to the Pangolin platform before accessing the resource | Private apps (admin panels, file managers) |
| Public | No authentication required; the resource is open to anyone | Public websites, blogs, landing pages |
| Shareable Links | Time-limited or usage-limited URLs that bypass normal auth | Temporary access for guests or contractors |
Step 1: Configure Built-in Authentication
Pangolin's built-in auth system is active by default after installation. Let's verify and strengthen it.
Enable Two-Factor Authentication
The admin account created during installation should immediately have 2FA enabled:
- Log in to the Pangolin dashboard at
https://pangolin.yourdomain.com. - Click your username in the top-right corner and select Account Settings.
- Under Two-Factor Authentication, click Enable.
- Scan the QR code with your authenticator app (Authy, Google Authenticator, Bitwarden, etc.).
- Enter the verification code and save the backup codes in your password manager.
Critical: Store backup codes securely. If you lose your 2FA device and backup codes, you'll need to manually edit the Pangolin database to recover access.
Create Additional Users
Avoid sharing the admin account. Create individual accounts for each person who needs access:
- Navigate to Access Control → Users in the left sidebar.
- Click Add User.
- Choose Internal User for accounts managed by Pangolin, or External User if you're connecting an identity provider (covered next).
- Assign a role: Admin (full control) or Member (access to assigned resources only).
Step 2: Connect an External Identity Provider (OIDC)
For a true SSO experience, connect Pangolin to an OpenID Connect provider. This lets users log in with their existing accounts from Google, Microsoft, or a self-hosted provider like Pocket ID or Authentik.
Pangolin supports any OIDC-compliant provider, plus dedicated integrations for Google Workspace and Microsoft Entra ID. Below, we'll walk through the setup with Pocket ID (a lightweight, self-hosted option popular with homelabbers) and then note the differences for Google.
Option A: Pocket ID (Self-Hosted OIDC)
Pocket ID is a minimalist identity provider that supports passkeys and OIDC. If you're already running it, integration takes just a few minutes.
In Pocket ID:
- • Navigate to Administration → OIDC Clients.
- • Click Add OIDC Client and name it "Pangolin".
- • Note the auto-generated Client ID and Client Secret. Leave the Callback URL blank for now.
In Pangolin:
- • Navigate to Server Admin → Identity Providers.
- • Click Add Identity Provider.
- • Fill in the OIDC configuration:
| Name | Pocket ID |
| Client ID | (from Pocket ID) |
| Client Secret | (from Pocket ID) |
| Authorization URL | https://pocketid.yourdomain.com/authorize |
| Token URL | https://pocketid.yourdomain.com/api/oidc/token |
| Userinfo URL | https://pocketid.yourdomain.com/api/oidc/userinfo |
| Identifier Path | preferred_username |
- • Click Create Identity Provider.
- • Copy the Redirect URI shown in the General tab.
Back in Pocket ID:
- • Edit the Pangolin OIDC client and paste the Redirect URI into Callback URLs.
- • Save your changes.
Auto Provision
Enable the "Auto Provision Users" option in Pangolin's identity provider settings. This automatically creates a Pangolin user account the first time someone logs in through your OIDC provider, eliminating the need to manually pre-create every user.
Option B: Google Workspace
If your household or team uses Google accounts, Pangolin's dedicated Google integration simplifies the setup:
- • In the Google Cloud Console, create an OAuth 2.0 Client ID under APIs & Services → Credentials.
- • Set the authorized redirect URI to the one Pangolin provides after you start the identity provider setup.
- • In Pangolin, select Google as the provider type and enter your Client ID and Client Secret.
The same process applies to Microsoft Entra ID, Authentik, Authelia, Keycloak, and any other OIDC-compliant provider. Pangolin's generic OIDC configuration accepts Authorization URL, Token URL, and Userinfo URL from any provider.
Step 3: Configure Per-Service Auth Policies
The real power of Pangolin's identity layer is the ability to set different access policies per resource. Not every service needs the same level of protection.
Example Access Policy Matrix
| Service | Auth Mode | Who Can Access | Rationale |
|---|---|---|---|
| Home Assistant | Platform SSO | Admin only | Full home control; highest trust required |
| Jellyfin | Platform SSO | All members | Media streaming for the household |
| Nextcloud | Platform SSO | All members | File sync and collaboration |
| Blog / Static Site | Public | Everyone | No sensitive data |
| Vaultwarden | Platform SSO | Admin only | Password manager; maximum security |
| Guest Share | Shareable Link | Link holders (time-limited) | Temporary file access for visitors |
Setting Auth on a Resource
For each resource in the Pangolin dashboard:
- Navigate to Resources and select the resource.
- Under Authentication, toggle Use Platform SSO on or off.
- When SSO is enabled, only users who are logged into Pangolin and have been assigned to the resource's organization can reach it.
- For resources that should be publicly accessible, leave SSO disabled.
Shareable Links for Guest Access
Pangolin's shareable links feature is a zero-trust alternative to handing out VPN credentials. You can generate a link that:
- • Expires after a set time (hours, days, or a specific date).
- • Is limited to a specific number of uses.
- • Can be revoked instantly from the dashboard.
This is ideal for sharing a Jellyfin library with a friend for the weekend, giving a contractor temporary access to an internal tool, or sharing a Nextcloud folder without creating a full user account.
Step 4: Configure Roles and Organizations
Pangolin uses an organizational model to scope access. By default, the installer creates one organization. For a typical homelab, this single organization is sufficient, but Pangolin supports multiple organizations if you manage services for different groups.
Within each organization, you can assign users to roles:
- • Admin: Full access to all resources and the ability to manage users, sites, and configuration.
- • Member: Access only to resources explicitly assigned to them. Cannot modify configuration.
Best Practice
Follow the principle of least privilege. Create a separate admin account for management tasks and use a member account for daily browsing. This limits the blast radius if a session is compromised.
Step 5: Test Your Configuration
With auth configured, run through these verification steps:
Incognito browser test
Open a private window and try accessing a SSO-protected resource. You should be redirected to the Pangolin login page.
OIDC login test
If you configured an external identity provider, click the SSO button on the login page and verify that the OIDC flow completes successfully.
Role verification
Log in as a member user and confirm they can only see assigned resources, not admin-only services.
2FA test
Verify that admin accounts are prompted for a second factor on login.
Shareable link test
Generate a time-limited link, open it in a different browser, and confirm access works. Then expire the link and verify access is revoked.
Security Considerations
Pangolin's identity layer gives you significantly more control than exposing services behind basic auth or a VPN, but there are some important things to keep in mind:
Session management
Pangolin sessions have configurable timeouts. For sensitive services, shorter session lifetimes reduce the window of exposure if a device is compromised.
OIDC provider availability
If you self-host your OIDC provider (Pocket ID, Authentik) behind Pangolin itself, you create a circular dependency. Host your identity provider on a separate path or ensure it's accessible even if Pangolin's auth is partially down.
Custom auth domains
Pangolin supports setting a custom domain for the authentication page (e.g., auth.yourdomain.com). This increases trust when sharing access with external collaborators who see your branded login page instead of a generic one.
What's Next
In Part 3 of this series, we'll cover exposing specific services — Jellyfin, Home Assistant, and Nextcloud — through your Pangolin tunnel with optimized configurations for each.
Don't have a VPS yet? RamNode offers KVM VPS plans starting at $4/month — the perfect entry point for your Pangolin deployment.