How can I implement an SSO solution on Synology NAS with Microsoft Entra Domain Services?

How can I implement an SSO solution on Synology NAS with Microsoft Entra Domain Services?

Purpose

This tutorial guides you through how to join a Synology NAS to Microsoft Entra Domain Services (formerly Azure AD Domain Services) and activate Entra ID single sign-on (SSO) for DSM services.

Notes:

  1. The instructions below are based on Microsoft Entra ID. The actual steps may vary according to their user-interface updates.
  2. Connecting to a Microsoft Entra ID domain does not necessarily require a VPN. This tutorial only provides one possible solution, and using Microsoft Entra Domain Services may incur costs. Refer to Microsoft Entra ID for details.

Resolution

A. Before you start

  • Make sure that your Synology NAS is running DSM 6.2 or above.
  • Set up a Site-to-Site IPSec VPN tunnel between Microsoft Entra's virtual network and the local network of your Synology NAS. We recommend setting up the VPN connection with a Synology Router (refer to this article for detailed instructions).

B. Set up an Entra ID managed domain

  1. Sign in to the Microsoft Entra web portal.
  2. In the search bar, type "Microsoft Entra Domain Services".
  3. Select Microsoft Entra Domain Services from the results.
    1.png
  4. On the Microsoft Entra Domain Services page, click Create.
    2.png
  5. Configure the following at the Basics tab:
    • Subscription: Select your subscription to Microsoft Entra ID service.
    • Resource group: Here, we click Create new and enter a name, e.g., "SynologySQ".
    • DNS domain name: Name your managed domain. Here, we name the managed domain with the built-in suffix ".onmicrosoft.com". You can refer to this article to learn more about domain customization.
    • Region: Select the location for your domain. Here, we select East Asia.
    3.png
  6. Go to the Networking tab. Specify the Virtual network and Subnet for your managed domain.
    4.png
  7. Go to the Administration tab. Click Manage group membership to specify domain administrators.
    5.png
  8. Customize the settings at the Synchronization tab depending on your needs, and click Review + create.
  9. After the settings have been validated, click Create to set up your Entra ID managed domain. This process may take up to an hour.

Notes:

  1. If you're having trouble setting up an Entra ID managed domain, please contact Microsoft for further assistance.

C. Join Synology NAS to the Entra ID managed domain

For DSM 7

  1. Sign in to DSM using an account belonging to the administrators group.
  2. Go to Control Panel > Domain/LDAP > Domain/LDAP.
  3. Click Join.
  4. Configure the following settings and click Next:
    6.png
    • Server type: Select Auto-detect or Domain.
    • Server address: Enter the name of your Entra ID managed domain.
    • DNS server: Enter the Entra ID managed domain's IP address. You can check it at the Entra portal > All resources > your managed domain > Properties > IP addresses.
      7.png
  5. Configure the following settings:
    • Domain account: Enter the username of the Entra ID managed domain administrator's account.1
    • Domain password: Enter the password of the account above.
    • DC IP/FQDN: Enter the Entra ID managed domain's IP addresses.
    8.png
  6. Click Next, and the wizard will run some checks and join your Synology NAS to the managed domain. When the joining process is complete, you will see the status "Connected" at the Domain/LDAP tab.
    9.png

For DSM 6.2

  1. Sign in to DSM using an account belonging to the administrators group.
  2. Go to Control Panel > Domain/LDAP > Domain.
  3. Tick Join domain.
  4. Configure the following settings:
    10.png
    • Domain: Enter the name of your Entra ID managed domain.
    • DNS Server: Enter the Entra ID managed domain's IP address. You can check it at the Entra portal > All resources > Your managed domain > Properties > IP addresses.
      11.png
  5. Click Apply. A pop-up window will appear requesting the administrator's account and password of your Microsoft Entra Domain Services for authentication.1 Enter your information and click Next.
  6. When the joining process is complete, you will see the status "Connected" at the Domain tab.
    12.png

D. Activate Entra ID SSO on Synology NAS

  1. Sign in to the Entra portal.
  2. Go to Azure Active Directory > App registrations, and click New registration.
  3. Configure the following and click Register:
    • Name: Name the application, e.g., "AzureSSO".
    • Support account types: Select the types of accounts that can use this application. If there is only one Entra ID tenant in your organization, select Accounts in this organizational directory only. You can refer to this article for more information about this option.
    • Redirect URI: Select Web from the drop-down menu. Also, enter the URI of your application's login page in the following format. Make sure that HTTPS and a valid certificate are used for connecting to your NAS. Also, this field cannot be a QuickConnect address. You can import a certificate to DSM or obtain one from Let's Encrypt.
      URI Example for DSM 7 Example for DSM 6.2
      https://domain name or IP address2 of your NAS:port/ https://synonas.synology.me:5001/ https://synonas.synology.me:5001/webman/login.cgi
      13.png
  4. On the Overview page, copy the Application (client) ID and Directory (tenant) ID.
    15.png
  5. Go to Certificates & secrets and click New client secret.
    16.png
  6. In the pop-up window, configure the following and click Add:
    • Description: Name this client secret.
    • Expires: Select duration of validity for this client secret. It is suggested that you choose Custom and set a time long enough to avoid the client secret from expiring. If the client secret expires, users may not sign into DSM via Entra ID SSO authentication.
    17.png
  7. Copy the Value of the newly added client secret.
    18.png
  8. Go to DSM Control Panel > Domain/LDAP > SSO Client and do the following:
    • For DSM 7: Tick Enable OpenID Connect SSO service and click OpenID Connect SSO Settings. In the pop-up window, Select azure from the Profile drop-down menu.
      19.png
    • For DSM 6.2: Tick Enable OpenID Connect SSO service. Select azure from the drop-down menu and click Edit.
      20.png
  9. Paste the copied values of Application ID, Directory ID (see Step 5), and Key (see Step 8). Also, Enter the Redirect URI of your application's login page (see Step 3). Click Save when you make sure all the information is correct.
    • For DSM 7
      21.png
    • For DSM 6.2
      622.png
  10. Click Apply when the configuration is complete.
    22.png
  11. Entra ID domain users can now sign in to your Synology NAS using their Entra ID credentials. To sign in with SSO, select Azure SSO Authentication at the login portal.
    23.png
  12. Users will see a pop-up window requiring their username and password. Click an account or enter their username and password to sign in to DSM.
    24.png

Notes:

  1. Make sure the administrator's account is created after the Microsoft Entra Domain Services is enabled. Otherwise, before you can use this administrator's account to join your Synology NAS to Microsoft Entra Domain Services, you must change the account password to synchronize the password hash from Microsoft Entra ID to Microsoft Entra Domain Services. Refer to Microsoft's tutorial for details.
  2. If you have registered a DDNS hostname for your Synology NAS, go to DSM Control Panel > External Access > DDNS. You will see its domain name and IP address.
Purpose
Contents
Resolution
A. Before you start
B. Set up an Entra ID managed domain
C. Join Synology NAS to the Entra ID managed domain
D. Activate Entra ID SSO on Synology NAS