Service
The Service page provides a centralized platform to manage your SSO servers. The supported protocols include SAML, OIDC, and Synology SSO.
Note:
- Before activating SSO protocols, make sure to set up a server URL at SSO Server > General Settings.
- In the following sections, SSO Server will be referred to as the IdP (i.e., Identity Provider).
OIDC
OpenID Connect (OIDC) is an open authentication protocol that works together with OAuth 2.0. It allows client applications (hereafter "apps") to verify end users' identities and obtain profile information in JSON format from an IdP. With OIDC SSO, users only need to remember one set of login credentials and do not have to sign in to different apps separately.
To use OIDC SSO, select the Enable OIDC server checkbox and click Save.
Once you've activated this protocol, make sure to copy the Well-known URL to your client apps' admin portals. This URL offers all required IdP information for your apps.
SAML
Security Assertion Markup Language (SAML) is an open standard for user authentication. Under this framework, client apps obtain and verify users' information by exchanging XML-based assertions with an IdP. With SAML SSO, users can securely access multiple apps using one set of credentials.
To use SAML SSO, select the Enable SAML server checkbox and copy the following information to your client apps' admin portals:
- IdP single sign-on URL: The IdP endpoint from which SAML responses are sent. Your client apps may refer to this attribute as the Login URL, SSO URL, or SAML Endpoint.
- IdP entity ID: The unique attribute your client apps use to recognize the IdP. This is often referred to as the IdP Issuer, Issuer, or Identifier.
- Metadata: The information about your IdP. Choose a method to obtain it:
- Copy the Metadata URL.
- Copy the text in the Metadata field.
- Click Export Metadata. An .xml file will be generated.
- SHA-1 fingerprint: A hexadecimal string used to verify the integrity of your IdP's certificate.
- Certificate: The public key certificate of the IdP. This will be used to verify SAML assertions and responses.
After the configurations above, make sure to click Save.
Note:
- You can click Renew to generate a new certificate when the current one expires. If your certificate is renewed, make sure to import it to your client apps.
Synology SSO
Synology SSO is a user authentication solution based on the OAuth 2.0 framework. It provides a single sign-on architecture specifically for packages on Synology NAS, such as Synology MailPlus.
To use Synology SSO, select the Enable Synology SSO server checkbox and click Save.
To enable SSO logins through port 80 (HTTP) or 443 (HTTPS), select Allow connections through ports 80 (HTTP) and 443 (HTTPS).
Note:
- We recommend using HTTPS for the Synology SSO server and client apps to ensure the security of data exchange.
- When HTTP is used, Synology SSO cannot function normally if a client app uses the HTTPS protocol.
- When HTTPS and a self-signed certificate are used, the browser will show a warning message and block DSM portals and SSO login windows. To sort out this situation, do either of the following:
- Add the Synology NAS serving as the SSO server to the exception list of your browser.
- Export the certificate from the Synology NAS and import it to your browser. Refer to this article for detailed instructions.