Search

How do I configure SAML-based single sign-on for the QuWAN QBelt VPN server with Microsoft Entra ID as the Identity Provider?

Last modified date: 2025-04-09

Applicable Products

  • QuWAN Orchestrator
  • QVPN Client
  • Microsoft Entra ID

Details

QuWAN Orchestrator enables the use of Security Assertion Markup Language (SAML)-based single-sign on (SSO) to exchange authentication and authorization data with an Identify Provider (IdP), for example, Microsoft Entra ID (Microsoft Azure AD). With this feature, users can utilize the same SAML IdP credentials to access various services that support SAML authentication. This eliminates the necessity of adding new credentials for each individual application and service.

Note
Microsoft renamed Azure Active Directory (AD) as Microsoft Entra ID. For details, see New name for Azure Active Directory.

Procedure

1. Creating a QuWAN QBelt VPN server application using Microsoft Entra ID (Azure AD)

  1. Go to https://portal.azure.com.
  2. Sign in using your Microsoft username and password.
  3. On the Microsoft Azure banner, click .
  4. Click All services.
  5. Click Microsoft Entra ID.
  6. In the left panel, under Manage, select Enterprise applications.
  7. Click New application.
  8. Click Create your own application.
  9. Under What's the name of your app?, specify a name for your application.
    Note
    Use a clear, descriptive name for your custom SAML app, like the service name itself (e.g., "QuWAN QBelt VPN Server").
  10. Select Integrate any other application you don't find in the gallery (Non-gallery).
  11. Click Create.

    Azure adds the application and redirects you to the application Overview page.

  12. On the side panel, click Users and groups, to assign specific users and groups to authorize access to the application.
    For details, see Manage users and groups assignment to an application.

2. Configuring the Microsoft Entra ID (Azure AD) SSO for QuWAN QBelt VPN Server in QuWAN Orchestrator and Azure portal

To enable Microsoft Entra ID (Azure ID) SSO, you must create a link between Microsoft Entra ID users and their corresponding QuWAN QBelt VPN SAML SSO user groups.

  1. Go to https://quwan.qnap.com.
  2. Sign in using your QNAP account username and password.
  3. Select your organization.
  4. Go to VPN Server Settings > Privilege Settings.
  5. Go to SAML SSO.
  6. Click Configure SAML SSO Now.
  7. Copy the Identifier (Entity ID) and Reply URL to the clipboard.
  8. Open Azure portal.
  9. Go to All services > Manage > Enterprise applications.
  10. Locate and open the QuWAN QBelt VPN Server enterprise application.
  11. Under Set up single sign on, click Get started.
  12. Select SAML as the single sign-on method.
  13. Locate step 1,  Basic SAML Configuration.
  14. Click Edit.
  15. Paste the copied Identifier (Entity ID) and Reply URL in their respective fields.
  16. Click Save.
  17. Click X to close the SAML configuration window.
  18. Locate step 3, SAML Certificates.
  19. Next to Certificate (Base64), click Download.
  20. Locate step 4, Set up [Application_Name].
  21. Copy the Login URL and Microsoft Entra ID or Azure AD Identifier to the clipboard.
  22. Configure the attributes and claims.
    1. Locate step 2, Attributes & Claims.
    2. Click Edit.
    3. Click Add new claim.
    4. Specify the claim name as email.
    5. Next to Source attribute, select an attribute to correspond to the email claim. For example, select user.mail.
    6. Click Save.
    7. Click Add new claim.
    8. Specify the claim name as groups.
    9. Next to Source attribute, select an attribute to correspond to the groups claim. For example, select user.department.
    10. Click Save.
      Note
      • To correspond the QuWAN SAML SSO user group with a group that is already created in Microsoft Entra ID, click Add group claim, select All groups, and select Custom group claim name. Enter the claim name as groups.
      • For details on modifying claims, see Customize SAML token claims.
  23. Open QuWAN Orchestrator.
  24. Select your organization.
  25. Go to VPN Server Settings > Privilege Settings.
  26. Go to SAML SSO.
  27. Click Configure SAML SSO Now.
  28. Paste the single sign-on URL and IdP identifier.
  29. Open the download Base64 certificate using a text application.
  30. Copy the contents of the certificate file.
  31. Paste the content in the Certificate (Base64 format) field.
  32. Click Save.
  33. Add a new SAML SSO user group.
    1. In QuWAN Orchestrator, go to VPN Server Settings > Privilege Settings > SAML SSO.
    2. Next to SAML SSO User Rules, click Add.
    3. Enable the user rule.
    4. Configure the user rule settings.
      SettingUser Action
      Rule nameSpecify a name for the SAML SSO user rule.
      Attribute valueThe value corresponding to the source attribute configured in Microsoft Entra ID's group claims.
      Note
      • If you have configured the user.department attribute in Attributes and Claims in the Microsoft Azure portal, enter the department name of your organization as the attribute value.
      • The value for the source attribute can be retrieved from the QuWAN QBelt VPN Server application within the Microsoft Azure portal. For example, select your user profile, go to Overview, and then click Properties. Identify the value associated with the Department field and copy the value.
        If you choose Add Group Claim you must copy the Object ID. For example, select your group profile, go to Overview, and then copy the Object ID value.
      • Select Rule for all users to apply the attribute value to all the users.
      SegmentSelect a pre-configured segment.
      Accessible hubsSelect one or more hubs to connect to.
    5. Optional: Enable Allow concurrent multidevice connections.
    6. Click Save.
  34. Click Apply.

QuWAN Orchestrator saves the SAML SSO settings.

3. Connecting to QuWAN QBelt VPN with QVPN Client and Microsoft Entra ID (Azure AD) SSO

After successfully configuring QuWAN SAML SSO, establish a connection to QuWAN QBelt VPN through the QVPN Client.

  1. Go to QNAP Utilities.
  2. Locate QVPN Client (formerly named QVPN Device Client).
  3. Download the utility to your device.
  4. Install the utility on the device.
  5. Open QVPN Client.
  6. Click Add a QuWAN Profile.
  7. Specify the organization ID.
    Note
    You can find the organization ID in QuWAN Orchestrator. Go to VPN Server Settings > Privilege Settings > SAML SSO.
  8. Click Next.
    The Authentication Settings page appears.
  9. Select SAML SSO as the service.
  10. Click Next.
    QVPN Client prompts you to enter the Microsoft Entra ID (Azure AD) credentials once it opens the default browser.
  11. Click OK.
  12. Enter your Microsoft Entra ID credentials and sign in.
  13. Close the browser and return to QVPN Client.
  14. Configure the profile settings.
    1. Specify a profile name.
    2. Select a regional hub from the drop-down menu.
      You can either let the system automatically select the optimal hub for your needs, or you can manually choose a specific hub and specify the WAN port you want to connect to.
    3. Optional: Select Connect immediately After Save if you want to connect to the QuWAN profile immediately after applying the settings.
  15. Locate the QuWAN profile in QVPN Client, and then click Connect.
    QVPN Client opens the default system browser for user authentication.
  16. Enter your Microsoft Entra ID credentials and sign in,
    You can close the browser after logging in to Microsoft Entra and return to QVPN Client.

QVPN Client connects to the QuWAN QBelt VPN Server using Microsoft Entra ID SSO.

Further Reading

For details on Microsoft Entra ID's functions, visit the following web pages.

 

Was this article helpful?

Yes. No.
56% of people think it helps.
Thank you for your feedback.

Please tell us how this article can be improved:

If you want to provide additional feedback, please include it below.

Teknik Özellik sSçin

      Daha fazla göster Daha az

      Diğer ülkelerde/bölgelerde bu site:

      open menu
      back to top