how to set up an SSO service for openVPN and a synology NAS

Sash 0 Reputation points

Hello everyone, I have today a synology nas as well as an openvpn on pfsense on premises. We have transitioned to azure for many services but the nas and vpn must remain on site. What would be the solution for users to connect with azure credentials on these two pieces of equipment? I can think of three possible options: Have an on-premises AD synchronized with the Azure AD. Set up SAML authentication, but this seems difficult to implement today on pfsense. Set up a radius server.

Do you have any advice on how to do this? Thanks in advance

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,546 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,636 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 28,861 Reputation points

    Hi @Sash

    The hash synchronization method is very simple to implement it. You don't need to install a additional servers like PTA and federation method. If you choose this method, the user will be able to use the same password to access on a service hosted in Entra (like Exchage online , Sharepoint online ..ect), and authenticated by Entra ID. If you want forward all user authentication request to active directory and avoid enable hash synchronization between your active directory and Entra ID , you have 2 options PTA and federation. For more information , you can read the following article:

    Choose the right authentication method for your Microsoft Entra hybrid identity solution

    For more information about 3 SSO methods, please refer to the following links:

    Please don't forget to accept helpful answer

    0 comments No comments

  2. Julian Sperling 266 Reputation points

    It Kind of Depends - Synology Natively Supports SSO through their SSO Client, for pfsense login there is a community package for the web ui - VPN however I think you will find yourself out of luck. If you have Radius in place you might be able to find a saml extension for your Server, but even OpenVPN requires you to use a paid dedicated server for SSO, and that has been my experience as well - if you want SSO you have to go commercial Note: If you already use "Azure Authentication", I would have assumed that you already have Entra ID (formerly Azure AD) set up with synchronization.

    0 comments No comments