I recently found another cool use case for my Synology NAS, which is using the Synology SSO application to setup vCenter Server Identity Federation. I had not considered looking at Synology, but I was recently setting up some additional DNS entries and noticed there was SSO Server application, that supports both SAML2 and OIDC.
For those with a Synology, this is a super easy way to get hands on experience with configuring vCenter Server Identity Federation and this can all run locally within your environment, unlike some of the other external identity providers which typically will require direct/in-direction connection to your vCenter Server or require a SCIM (System for Cross-domain Identity Management) proxy server.
Disclaimer: Synology SSO is currently not an officially supported vCenter Server IdP, please use at your own risk.
Synology SSO supports only HTTPS OIDC endpoints. However, the default self-signed TLS certificate on the Synology does not include the full certificate chain, which is required by vCenter Server to establish a trust, we need to generate our own TLS certificate that includes the full certificate chain.
Step 0 (Optional) - If you already have a certificate and an FQDN configured on your Synology, you can skip this initial step. Here is a quick snippet for using OpenSSL to create a self-signed TLS certificate with the following required files:
- keypem - Private Key
- cert.crt - Certificate
- fullchain.pem - Certificate Chain
openssl genpkey -algorithm RSA -out key.pem openssl req -new -key key.pem -out csr.pem -subj "/C=US/ST=CA/L=Palo Alto/O=WilliamLam/OU=R&D/CN=synology.williamlam.local" openssl x509 -req -in csr.pem -signkey key.pem -out cert.crt -days 365 cat cert.crt key.pem > fullchain.pem
Once you have created your TLS certificate, navigate to the Control Panel->Security->Certificate on your Synology to add your certificate. You will need to toggle the System Default to use your new TLS certificate and you can confirm by reloading the browser.
Step 2 - Install the SSO Server application under the Package Center and then open the application.
Navigate to Service->Synology SSO and enable the service.
Next, navigate to the General Settings and update the Server URL with an FQDN, which can either use an external DNS server or the DNS Server application of the Synology (ensure both forward/reverse DNS is correct).
Step 3 - Login to your vCenter Server and navigate to Administration->Single Sign On->Configuration->Identity Provider and select the PingFederate option and populate the directory name and DNS domain.
Copy the vCenter Server Redirect URI and then head back to your Synology to create a new OIDC application. Provide a name and then paste the redirect URI from Step 3 and then make a note of the Application ID which will be used for the vCenter Server Client Identifier and the Application Secret which will be used for the vCenter Server Shared secret and lastly, we need to copy the OIDC address which we can retrieve by going into the Service section.
Step 4 - Navigate back to your vCenter Server to complete the configuration and populate all fields as shown in the screenshot below along with full certificate chain.
If everything was setup correctly, the configuration should be successful.
Synology SSO does not support the SCIM protocol, which means we need to manually make vCenter Server Identity Broker (vIDB) aware of the users before we can assign vSphere permissions.
Typically, we need to go through the login process, which will fail but that will allow us to discover the the ExternalID in the vCenter Server's logs. Since I have already done this, it looks like it uses the Name field when creating a new user.
For those interested in the process, once the logon to vCenter Server fails, you will need to SSH to vCenter Server and look at the /var/log/vmware/vc-ws1a-broker/federation-service.log file which should look like the following with ExternalID as shown below:
2025-03-27T13:53:02,731 INFO vc03.williamlam.local:federation (federation-business-pool-0) [CUSTOMER;-;192.168.30.4;705fac77-91cd-47f0-b515-3b5b04d6b2af;-;c4be59ae-4fcd-447a-8914-568b4185f139] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - Fetching user for jit login context: c4be59ae-4fcd-447a-8914-568b4185f139 on attribute ExternalId=lamw, domains: [williamlam.local]
You will need to repeat this for each user that you wish to provide access to your vCenter Server, but since we know the ExternalID simply uses the Name field, you can simply assume that value as you are creating your users.
Step 6 - We now need to publish the Synology SSO users into vCenter Server's Identity Broker and to simplify this process, I have created a shell script that needs to be run directly within the VCSA that accepts a CSV file that contains the list of users and their configurations.
Using the information from Step 4, create a CSV file that contains list of users in the following format:
# Username, First Name, Last Name, Email, External Id lamw, William, Lam, lamw[at]williamlam.local, lamw
Note: Any entries with a "#" will be ignored by the script, so you can easily comment out entries that you do not wish to publish to vIDB.
Next, download the manual-scim-sync-users.sh script and the user CSV file to your VCSA and run the script with the following three arguments: vSphere admin username, password and the name of your CSV text file as shown in the screenshot below.
./manual-scim-sync-users.sh 'administrator[at]vsphere.local' 'VMware1!' external_users.txt
Step 7 - Login to your vCenter Server with your vSphere SSO account and you should now be able to lookup users from your Synology SSO and assign vSphere Permissions. Once you have assigned the desired vSphere Permission, you can open an incognito window and after authenticating with the Synology SSO, you should now be successfully logged into vCenter Server!
If you need to remove users from vCenter Server's Identity Broker (vIDB), you can download the manual-scim-remove-users.sh script that can help with automating that process. Create a simliar CSV file with the list of users that you wish to un-publish and then run the script with the following three arguments: vSphere admin username, password and the name of your CSV text file as shown in the screenshot below.
./manual-scim-remove-users.sh 'administrator[at]vsphere.local' 'VMware1!' external_users.txt
Thanks for the comment!