Setting up SSO with a Synology NAS (DSM 7.2)

iset · December 18, 2023, 10:56am

Hello, I’m trying to setup SSO via OIDC using Auth0 as IdP. Both on the DSM and the Auth0 side I have a user called my.user with email my.user@example.org.

On the Synology side, I followed their guide and I set

Account type : Domain/LDAP/local
Name : My App
Well-known URL : https://iset-telecom.eu.auth0.com/.well-known/openid-configuration
Application ID : the Client ID
Application Secret: the Client Secret
Redirect URI: my login portal
Authorization scope : openid
Username claim: email

When I try to SSO into the NAS, I am redirected to the Auth0 Login form. When I login, I am redirected back to the Synology login portal, but I get back a generic SSO error.

Any ideas about how to troubleshoot this problem?

dawid.matuszczyk · December 18, 2023, 5:40pm

Hi @iset

Welcome to the Auth0 Community!

I’ve checked the signup and log flow on your tenant, and it looks good. Can you check the logs in the DSM? Also can you check the connection response https://openidconnect.net/

Thanks
Dawid

iset · December 18, 2023, 7:21pm

Hi @dawid.matuszczyk, and thank you for your welcome. I haven’t found a clear log that can help me troubleshot this problem. In/var/etc/auth.log, I can see errors like the following:

2023-12-18T19:53:13+01:00 iset-synology synoscgi_SYNO.API.Auth_7_login[13158]: pam_syno_log_fail(sso:auth): Can't get user uid ().

Regarding the test with https://openidconnect.net/, finally I got:

{
 "iss": "https://iset-telecom.eu.auth0.com/",
 "aud": "<my yclient_id>",
 "iat": 1702926881,
 "exp": 1702962881,
 "sub": "auth0|...",
 "sid": "..."
}

It is fine, I guess.

Cheers!

dawid.matuszczyk · December 19, 2023, 4:44pm

Hi @iset

Sorry for the confusion. Did you manage to solve the issue? Or does it still occur?

Thanks
Dawid

iset · December 20, 2023, 9:42am

Hi @dawid.matuszczyk. No worries at all and thank you for your help! Nope, unfortunately I’m still stuck. Here is another piece of log that I’ve found in the NAS:

oidc_auth.cpp:70 Get sso operation failed. Reason: SYNOUserLoginNameConvert failed.
pam_syno_sso.cpp:128 (euid=0)(pam_syno_sso.cpp:128)(Success)Failed [username.empty()]
pam_syno_log_fail(sso:auth): Can't get user uid ().
login.c:1129 Get uid/gid fail for user []. [0x1D00 user_db_get.c:36]

iset · December 20, 2023, 10:43am

Whoooo just fixed modifying these entries in the DSM settings:

Authorization scope : openid profile
Username claim: name

Side question: is there a way to customize the username upon the user creation?

It defaults to the email address and you need to change it later.

dawid.matuszczyk · December 20, 2023, 5:05pm

That’s great to hear that @iset,

Feel free to reach out if you will have more questions!

Have a great day!

Thanks
Dawid

system · January 3, 2024, 5:06pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.