Activate SSO

ActiveProtect Manager supports four Single Sign-On (SSO) protocols: OIDC, SAML 2.0, CAS, and Synology SSO. After configuring your ActiveProtect appliance as an SSO client, users who have signed in on the SSO page can access the appliance without signing in again.

In this article, an SSO server and your ActiveProtect appliance are referred to as follows:

• SSO server: your identity provider (IdP)
• SSO client: your ActiveProtect appliance

OIDC SSO

OpenID Connect (OIDC) is an open authentication protocol that works together with OAuth 2.0. It allows your ActiveProtect appliance to verify user identities and obtain profile information in JSON format from an IdP. Follow the instructions below to integrate your appliance with OIDC SSO services or Entra ID.

Set your appliance as an OIDC SSO client

1. Go to Appliance Console > Control Panel > Domain/LDAP > SSO Client.
2. Select the Enable OpenID Connect SSO service checkbox and click OpenID Connect SSO Settings.
3. Select OIDC from the Profile drop-down menu.
4. Specify information in the fields in the pop-up window:

   Option	Description
   Account type	Grant SSO permissions to three types of users: domain (or AD) users, LDAP users, and local users.
   Name	A custom profile name. This will be displayed on the SSO login interface.
   Well-known URL	This URL offers all required IdP information for your ActiveProtect appliance.
   Application ID	The unique identifier of your ActiveProtect appliance. This is often referred to as the Client ID.
   Application secret	The private key that is known only to your ActiveProtect appliance and IdP. It allows your ActiveProtect appliance to authenticate to the IdP.
   Redirect URI	The URL of your ActiveProtect appliance where users are redirected after your IdP confirms authentication requests.
   Authorization scope	This contains one or more scopes associated with access tokens. It determines what services will be available when access tokens are used to access OAuth 2.0-protected endpoints.
   Username claim	A set of user attributes returned by each authorization scope. The system will use this to identify users.

5. Click Save and exit the pop-up window.
6. Click Apply to save your settings.

Set your appliance as an Entra ID SSO client

1. Make sure your ActiveProtect appliance has joined an Entra domain (formerly "Azure AD") via VPN or a domain in sync with an Entra domain.
2. Go to Appliance Console > Control Panel > Domain/LDAP > SSO Client.
3. Select the Enable OpenID Connect SSO service checkbox and click OpenID Connect SSO Settings.
4. Select Azure from the Profile drop-down menu.
5. Specify the Application ID, Keys, Directory ID, and Redirect URI into the corresponding fields. On the Microsoft Entra admin center, you will find the Application ID as Application (client) ID, the Keys as Client secrets, and the Directory ID as Directory (tenant) ID. To obtain the information, refer to the instructions in the next section.
6. Click Save and exit the pop-up window.
7. Click Apply to save your settings.

To obtain the Application ID, Keys, and Directory ID for Entra ID SSO:

1. Sign in to Microsoft Entra admin center using an admin account.
2. Go to Identity > Applications > App registrations. Click New registration.
3. Enter your application's Name.
4. Select Accounts in this organizational directory only.
5. Enter the Redirect URI you specified in Appliance Console.
6. Click Register to complete the registration. Once the application is successfully registered, it will be displayed on the App registrations page.
7. Click the application's display name to view the Application (client) ID and Directory (tenant) ID.
8. Switch to the Certificates & secrets page. Check your application's client secrets or click the New client secret button to set up a new one.

SAML SSO

Security Assertion Markup Language (SAML) is an open standard for user authentication. Under this framework, client applications obtain and verify user information by exchanging XML-based assertions with an IdP.

Follow these steps to set up your ActiveProtect appliance as a SAML SSO client:

1. Go to Appliance Console > Control Panel > Domain/LDAP > SSO Client.
2. Select the Enable SAML SSO service checkbox and click SAML SSO Settings.
3. In the pop-up window, click Import Metadata and upload a SAML metadata file obtained from your IdP. You can also specify information in the fields:

   Option	Description
   Name	A custom profile name. This will be displayed on the SSO login interface.
   Account type	Grant SSO permissions to three types of users: domain (or AD) users, LDAP users, and local users.
   SP entity ID	The URL of this ActiveProtect appliance where users are redirected after your IdP confirms SAML assertions. This address must be HTTPS and cannot be a QuickConnect address. This is often referred to as the Redirect URI, Application ID, or Assertion Consumer Service URL (ACS URL).
   IdP entity ID	The unique attribute used to recognize your IdP. This is often referred to as the IdP issuer, issuer, or identifier.
   IdP single sign-on URL	The IdP endpoint from which SAML responses are sent. This is often referred to as the Login URL, SSO URL, or SAML endpoint.
   Certificate	The public key certificate of your IdP. This will be used to verify your IdP's SAML assertions and responses.

4. Click Save and exit the pop-up window.
5. Click Apply to save your settings.
6. If your IdP provides the following options, make sure to configure them on the IdP website as follows:

   Option	Choose
   Type of SAML binding	The HTTP redirect option
   Name ID format	Unspecified
   Name ID value/attribute	Either the username, account, or email option depending on your requirements
   SAML assertion/response signing	SAML response: Sign SAML assertion: Either sign or unsign

CAS SSO

Central Authentication Service (CAS) is a ticket-based protocol for user authentication. Under this protocol, the IdP verifies end users' identities by sending and validating service tickets.

Follow these steps to set up your ActiveProtect appliance as a CAS SSO client:

1. Go to Appliance Console > Control Panel > Domain/LDAP > SSO Client.
2. Select the Enable CAS SSO service checkbox and click CAS SSO Settings.
3. Specify information in the fields in the pop-up window:

   Option	Description
   Name	A custom profile name. This will be displayed on the SSO login interface.
   Account type	Grant SSO permissions to three types of users: domain (or AD) users, LDAP users, and local users.
   Service ID	The URL of your ActiveProtect appliance. Your IdP will redirect users to this location upon successful authentication.
   Server URL	The URL of your IdP.
   Server validate URL	This URL is used by your ActiveProtect appliance to confirm the validity of a service ticket with your IdP, which will send back an XML document.

4. Click Save and exit the pop-up window.
5. Click Apply to save your settings.

Synology SSO

Synology SSO is a user authentication solution based on the OAuth 2.0 framework. It provides a single sign-on architecture specifically for Synology devices. To use this protocol, you must have a Synology NAS with SSO Server installed.

Follow these steps to set up your ActiveProtect appliance as a Synology SSO client:

1. Go to Appliance Console > Control Panel > Domain/LDAP > SSO Client.
2. Select the Enable Synology SSO service checkbox and click Synology SSO Settings.
3. Specify information in the fields in the pop-up window:

   Option	Description
   Name	A custom profile name. This will be displayed on the SSO login interface.
   Account type	Grant SSO permissions to three types of users: domain (or AD) users, LDAP users, and local users.
   SSO server URL	The full URL of SSO Server. Find it on your Synology NAS > SSO Server > General Settings.
   Application ID	Enter the name of your ActiveProtect appliance configured on your Synology NAS > SSO Server > Application.

4. Click Save and exit the pop-up window.
5. Click Apply to save your settings.