authelia/docs/content/en/integration/openid-connect/synology-dsm/index.md

2.6 KiB

title description lead date draft images menu integration parent weight toc community
Synology DSM Integrating Synology DSM with the Authelia OpenID Connect Provider. 2022-10-18T21:22:13+11:00 false
openid-connect 620 true true

Tested Versions

Before You Begin

{{% oidc-common %}}

Specific Notes

Important Note: Synology DSM does not support automatically creating users via OpenID Connect 1.0. It is therefore recommended that you ensure Authelia and Synology DSM share a LDAP server.

Assumptions

This example makes the following assumptions:

  • Application Root URL: https://dsm.example.com/
  • Authelia Root URL: https://auth.example.com
  • Client ID: synology-dsm
  • Client Secret: insecure_secret

Configuration

Application

To configure Synology DSM to utilize Authelia as an OpenID Connect 1.0 Provider:

  1. Go to DSM.
  2. Go to Control Panel.
  3. Go To Domain/LDAP.
  4. Go to SSO Client.
  5. Check the Enable OpenID Connect SSO service checkbox in the OpenID Connect SSO Service section.
  6. Configure the following values:
    • Profile: OIDC
    • Name: Authelia
    • Well Known URL: https://auth.example.com/.well-known/openid-configuration
    • Application ID: synology-dsm
    • Application Key: insecure_secret
    • Redirect URL: https://dsm.example.com
    • Authorisation Scope: openid profile groups email
    • Username Claim: preferred_username
  7. Save the settings.

{{< figure src="client.png" alt="Synology" width="736" >}}

Authelia

The following YAML configuration is an example Authelia client configuration for use with Synology DSM which will operate with the above example:

- id: synology-dsm
  description: Synology DSM
  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
  public: false
  authorization_policy: two_factor
  redirect_uris:
    - https://dsm.example.com
  scopes:
    - openid
    - profile
    - groups
    - email
  userinfo_signing_algorithm: none

See Also