How to set up QTS Azure SSO on QTS

QNAP NAS supports single-sign on from Azure Active Directory Domain Service (Azure AD DS), allowing users to log into the NAS with their Azure AD DS for Single Sign On (SSO).

As Azure accounts are imported as domain users, the admin can also select the accounts from the domain user list and adjust each Azure domain users’ settings, including shared folder privilege, domain group privilege, and domain user storage.

Requirements:

• A site-to-site VPN with Azure
• An Azure AD Domain Service
• A QNAP NAS with QTS 4.5.1 (or later)
  Note: If you are joining more than one NAS to the SSO service, you must follow   this tutorial for every NAS.
• A text editor for storing the Client ID, Tenant ID, Reply URL and Public Key

Get the ClientID and Reply URL

1. Open Azure Active Directory.
2. Go to Manage > App registrations.
3. Click “+New registration”.
4. Enter the registration details.
   1. Name: Enter a name for the app.
   2. Application type: Select “Web app/API”.
   3. Sign-on URL: Enter the NAS IP address.
5. Click “Create”.
   
   The summary page appears.
6. Copy the “Application ID” to your text editor.
   Important: The Application ID will be used as the “Client ID” in the SSO configuration.
   
7. Click “Settings”.
   
8. Go to General > “Reply URLs”.
   The “Reply URLs” sidebar appears.
   
9. Click the URL.
10. Edit the URL by adding “:8080/cgi-bin” to the end.
11. Copy this edited URL to your text editor.
    Important: This URL will be used at the “Reply URL” in the SSO configuration.
12. Click “Save”.
    

Get the Tenant ID from Azure

1. Open Azure Active Directory.
2. Go to Manage > “Properties”.
3. Under Directory properties, find “Directory ID”.
4. Copy the Directory ID to your text editor.
   Important: The Directory ID will be used as the “Tenant ID” in the SSO configuration.
   

Get the Public Key from Microsoft

Obtain the CA certificate

1. Go to https://login.microsoftonline.com/common/discovery/keys
   
2. The CA certificate is the value of “x5c”.
   Hint: Use a JSON Formatter to make the keys text more readable.
3. Copy the CA certificate value to your text editor.

Convert the CA certificate to a Key

Note: There are several methods to convert a CA certificate to a key. In this example we use a Linux environment.

1. Copy and paste the CA certificate from your text editor into the space between with the following command lines:
   # cat rsa_key_azure-cert.pem
   
2. Use the Linux command to generate the following public key into a “pem” file:
   “openssl x509 -pubkey -noout -in rsa_key_azure-cert.pem > rsa_key_azure-pub.pem”
3. Copy the Public Key (including beginning and end) to your text editor.
   Important: This Public Key will be used as the “Public Key” in the SSO configuration
   

Configure SSO on QTS

1. Log into your NAS as an administrator.
2. Go to Control Panel > Privilege > Domain Security > Windows AS/LDAP and select “AD Authentication (domain members)”.
3. Use the “Quick Configuration Wizard” or “Manual Configuration” to join Azure AD DS, as joining a on-premise AD domain.
   
4. Go to the “SSO” tab.
5. Check “Enable Azure Single Sign-on (SSO)”.
6. Copy and paste the Client ID, Tenant ID, Reply URL and Public Key from your text editor.
   
7. Click Apply.

Sign into the NAS with an Azure AD account

1. When logging into the NAS, click “Azure SSO”.
   
   The Microsoft Pick an account window opens.
2. Select the account to log into the NAS with.