Integrate Synology NAS with Zero Trust Network Access

In this topic, you will find general instructions on how to integrate a Synology NAS with Portnox™ Zero Trust Network Access.

Prerequisites:

  • Your Synology NAS must be accessible using a domain name.

    SAML integration does not work with an IP address alone. This is because the SAML configuration uses the domain name as the Entity ID.

    To give your Synology NAS a domain name, use one of these options:

    • Use a local DNS server.

    • Create a hosted ZTNA configuration for the NAS. This also lets remote employees access the on-premises NAS without a VPN.

      A hosted ZTNA configuration lets you use your own domain name, or it automatically assigns a portnox.com subdomain, which you can use as the Entity ID in your SAML configuration.

    You can configure the domain for your Synology NAS by clicking on the Control Panel icon, then clicking on the Login Portal icon, and entering the domain name in the Customized domain field.

  • We strongly recommend integrating your Synology NAS with your authentication repository, such as Entra ID or Google Workspace.

    • If you integrate with your repository using LDAP:

      • User accounts are synchronized directly from your repository, so usernames stay consistent automatically. No additional configuration is needed for username mapping.

      • Entra ID: You must use Microsoft Entra Domain Services – a separate paid Azure service that provides a managed LDAP endpoint and syncs users from Entra ID.

      • Google Workspace: LDAP integration requires the Secure LDAP service, which is not available on Business Starter or Business Standard plans. It is available on Business Plus and all Enterprise and Education plans.

    • If you do not integrate with your repository:

      • You must create all NAS users manually. You cannot use the @ symbol in the names of users created manually. We strongly recommend that you use the same username as in user emails. For example, create a user kosh if their company email is kosh@vorlon.com.

      • You must create a separate Identity Provider configuration in Portnox Cloud – for example, Entra ID or Google Workspace. This is because Synology NAS requires the NameID claim to contain the Synology username. How you provide this depends on your repository:

        • Entra ID provides a Display Name attribute, which stores the username without the domain part (for example, kosh from kosh@vorlon.com). You can map this attribute directly to the NameID claim, so no custom fields are needed.

        • The Google Workspace repository only contains fields for email address, first name, and last name. It has no fields that store the username without the domain part, and there is no function to obtain it automatically. Therefore, you must create a custom field in Google Workspace (for example, Displayname) and manually fill it for every user that needs access to the Synology NAS.

Assumptions for this guide:

  • We assume that you use a local DNS server or your own domain in a hosted ZTNA configuration, and that your NAS has the domain name: nas.vorlon.com.

  • We assume that you did not integrate with the repository using LDAP and that you used the same usernames for Synology users as your users’ emails. We will show you how to create and configure custom claims.

    Integrating a Synology NAS with an LDAP service provided by Entra ID or Google Workspace is a complex process that is outside the scope of this guide, as it is unrelated to SAML and ZTNA. If you integrated with your repository using LDAP, do not create a new IdP and do not add any custom claims, as the NAS will work with your default IdP and claims configuration.

Create a new identity provider configuration to support Synology

In this section, you will create a new identity provider configuration for Synology NAS and configure its claims.

Warning:
Synology SAML integration requires your identity provider to send the Synology username in the NameID claim instead of the standard email address used by other SAML applications. If you reconfigure your existing identity provider, it will stop working with other SAML applications. Therefore, you must create a new configuration: both a new application in your identity provider and a matching configuration in Portnox Cloud. See: Entra ID or Google Workspace.
Important:
If your Synology NAS is integrated with your Entra ID or Google Workspace authentication repository using LDAP, skip this section.
  • If you use Entra ID, open your Synology ZTNA application configuration and do the following steps.
    1. Open the Attributes & Claims pane (Single Sign-on > Attributes & Claims > Edit).

    2. Click on the Unique User Identifier (Name ID) claim to open its configuration.

    3. In the Name identifier format field, select the Unspecified option, and in the Source attribute field, select the user.displayname option.

    4. Click on the Save button to save your changes.
  • If you use Google Workspace, open your configuration and do the following steps.
    1. Open the Service provider details pane (Apps > Web and mobile apps > your Synology ZTNA application > Service provider details).

    2. In the Name ID format field, select the UNSPECIFIED option and in the Name ID field, select the custom field that contains the Synology username.
      Note:
      You need to add the custom field to the Google user directory scheme and manually fill it with a correct username for every user that needs to access the Synology NAS. In this example, we created a field displayname in a custom section called Synology.

    3. Click on the Save button to save your changes.

Create a Portnox Cloud application configuration

In this step, you will create a configuration in Portnox Cloud that will contain all the information necessary to integrate with Synology.

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://cloud.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the Cloud portal top menu, click on the Zero Trust Resources option.

  3. On the Resources screen, click on the Create resource button.

    1. In the What type of resource is this? section, select the SSO web application option.
    2. In the Authentication protocol section, select the SAML option.

    3. Click on the Next button.
  4. Optional: If you have more than one SAML identity provider configured, select the identity provider in the Select an identity provider to use for this resource section.
  5. In the Resource details section, enter a Resource name and optionally a Description.

    In this example, we used the name Synology for the new application configuration but you can use any name you like.

  6. Keep this browser tab open. You will need it later.

Open your Synology SAML authentication setup page

In this section, you will access your Synology administrative interface and find the SAML authentication setup page.

  1. In another tab of your browser, open your Synology NAS web interface.

    From now on, we will call this tab the Synology tab.

  2. Click on the Control Panel icon, and then on the Domain/LDAP icon.

  3. In the Domain/LDAP pane, click on the SSO Client tab, activate the Enable SAML SSO service checkbox, and then click on the SAML SSO Settings button..

Enter configuration values in the Portnox tab

In this section, you will enter configuration values in the relevant fields in Portnox Cloud.

  1. In the Portnox tab, in the Resource properties section, click on the empty field under the Entity ID / Service Provider Entity URL heading and enter the URL that you use to access your Synology NAS without the trailing slash, for example: https://nas.vorlon.com.

  2. In the Portnox tab, in the Resource properties section, click on the empty field under the Assertion Consumer Service (ACS) URL / Reply URL heading and enter exactly the same value as the Entity ID above.

Export metadata from the Portnox tab and upload it in the Synology tab

In this section, you will export the metadata from Portnox Cloud into a file and upload that file in the Synology SAML setup section.

  1. In the Portnox tab, in the SAML metadata section, click on the Download metadata XML file link to download the XML file and save it to your local drive.

  2. In the Synology tab, click on the Import Metadata button, click on the Browse button, select the XML file downloaded from Portnox Cloud, and then click on the Save button.

Finalize the configuration

In this section, you will finalize the configuration in Portnox Cloud and Synology.

  1. Finalize the configuration in the Portnox tab.
    1. Optional: Click on the Next button, and in the Policy enforcement section, in the Device risk assessment section, change the setting to Override with custom policy and then select a risk assessment policy if you want to assess risk with this application using a custom risk assessment policy, and in the Access control section, change the setting to Override with custom policy and then select an access control policy if you want to control access to this application using a custom access control policy.
      Note:
      To configure the access control policy, follow the steps in this topic: Create or edit an access control policy. To select the default access control policy, on the Groups screen, select a group that you want to configure the default for, click on the  ⋮  icon at the end of the row that represents the group, and then select the Group policies option. Then, in the ZTNA Resources section, select the policy in the SSO Web resources drop-down menu.
    2. Scroll all the way down to the end of the page, and then click on the Add resource button.

  2. Finalize the SAML configuration in the Synology tab.
    1. In the Account type field, select the Domain/LDAP/local option, and in the Response signature verification section, select the Sign SAML assertion option. Also, make sure that the SP entity ID field contains the URL that you use to access your Synology NAS without the trailing slash. Then, click on the Save button.

    2. If your users were logging in to the Synology NAS earlier using their usernames and passwords, and if you want them to use SAML instead, change their passwords and do not notify them of the new passwords. This is the only way to enforce ZTNA-based login.

Result: You have configured your Synology NAS to be accessible using Portnox Zero Trust Network Access.