📢
UPDATE: 12/4/2022 - Following on the Synology 2022 Workshop that was held last week, I have got some info on the explanation regarding how the Edge server feature works. More details below in the Edge servers section.

The final addition to the new lineup of C2 services is C2 Identity. What it is and how does it work will be the topic of this article, so let's dig in.

C2 Identity - one-stop hybrid identity management

I have mentioned this platform in my overview article "A Cloud for safe data", but we haven't had the chance to look deeper into what C2 Identity really is, how does it work, and how much does it (will) cost.

Official Synology C2 Identity promo

What is C2 Identity in a sentence then?

It is a platform that will allow you to centrally manage users, groups, workstations, and single sign-on (SSO) for Software as a Service (SaaS) applications across your entire organization.

Just like all the other C2 modules, Identity does not require you to own any Synology device to get it going. On top of that, it is completely running in the cloud (Synology C2 data center of your choice), and to begin with, it is free!

C2 Identity tiers and prices

As you can see from the table above, it still has some features that are on the road map and almost all of them are supported in the free tier. True in a limited capacity when it comes to a number of devices that are supported, but still.

Main features

Synology is opening yet another door towards clients and users that want to have business tools that do not require them to own a Synology NAS, so alongside C2 Password, and Backup, Identity is the last in a line of new services that will elevate the whole C2 platform to a new level, and hopefully bring in some new customers.

With the upcoming new C2 data center in Taiwan (with Frankfurt and Seattle already running for years), Synology has covered all of the major parts of the world and is ready to offer everyone their services.

Should I use it considering it's free?

There is nothing that is free, people say, and should you be using a user management platform that might stop one day and leave you locked out? Well until cloud providers started to be a big deal, you had to run all on-premise. Today, things are changing and it's becoming easier and cheaper to run some services as SaaS from the cloud than on-premise.

Should you do it? Well, that depends. If you need this type of service for example and do not have room to house a server, have people running and maintaining the service, maybe it is better to have a solution hosted in the cloud than to mess about with it on-premise.

Just a quick example would be Office 365. Today for a fraction of the retail price of the same product you can get 5 licenses for all your devices and some cloud space for data. No wonder, O365 is popular. The same principle applies to other SaaS platforms so why not an identity one?

In my humble opinion for a small team/firm, this kind of platform might be just the right thing to have all your user and device management needs in order.

Registering your C2 Identity domain

Let's see what you need to do in order to get this platform up and running. The first thing you will need is a valid Synology Account. In order to register your Identity domain, it needs to be registered to a specific account. So make sure to make your account (it's free), before you start your configuration. If you don't have it you will be required to make one when you visit the C2 Identity main page.

It all starts here https://c2.synology.com/en-us/identity/overview

Once you log into the C2 portal with your Synology Account you will be able to start creating your Identity domain.

At the moment the business model is still not operational

The first thing out the door is the subscription and data center choice. As you can see in the image above, you will have the option to choose from two current data centers and a single subscription tier.

Choose your C2 Identity domain name

Already in the next step, you will have the option to enter your domain name that will eventually be created and used as your identity URL for your devices and clients.

Once completed, you will land on your C2 Identity dashboard.

All done and ready. C2 Identity User overview

Configuring and managing C2 Identity

Add device you want to manage

With the use of the C2 Identity agent (macOS or Windows) installed on your computer, it will become a valid device of your C2 Identity domain, that your users can use to authenticate against it.

To get that going, simply log into the portal, and download the agent from the Managed Device section.

Once downloaded, install it on your computer and connect it with the key from step 03 of the wizard (above).

🗒️
NOTE: In case you are unable to download the agent using the buttons in the dialog box you can download them here: https://archive.synology.com/download/Utility/C2IdentityAgent

Enter the C2 Identity key that you can read from the web portal

Be sure to enter your C2 Identity connect key accessible and visible in the web portal.

Reboot your machine to complete the process

Once the installation is complete, reboot the machine. Make sure to complete the process by approving the device registration on the admin portal before any further management.

Once rebooted, your users will have the option to log in using C2 Identity.

C2 Identity Windows 10 login screen

That's it! Now you have a device that is connected to your C2 Identity domain and users can use it to log on to the device.

Adding users and groups

Now that we have a machine added it is time to add some users and groups that can actually use those. The process is simple. There are multiple ways to add accounts. You can add them individually or in bulk using a CSV file or an existing directory server.

To start, simply go to the User section of the portal and click the Add User Manually or the green Import Users/Groups button/menu.

Start adding users

For this example, I will use an individual method, but in case you decide to use a bulk import, you can download a compatible CSV file that you can use to upload your user list.

Adding a user requires several mandatory fields to be populated such as username and email.

Enter the information needed as well as any optional one

In the next step, you will have the option to select a password activation method.

Password activation method

Depending on the selected option, the screen will change. In this case, I will choose to manually specify a password, and send it to the user.

Type or generate a password

After that, your account will be configured and ready to use.

List of users
🗒️
NOTE: By default, all users and devices are members of the Everyone group, so keep that in mind if you want to fine-tune access for a specific user towards a specific device!

C2 Identity User portal

Once you get going with your C2 Identity platform, the final notification that you will get is the link to your C2 Identity User portal. If you recall, at the start of the process you needed to register your domain with C2 Identity. In return, your user will now (once logged in with a C2 Identity account) be able to change their own settings such as an address, phone numbers, birthday, as well as security features like 2FA, and password reset without the need to bother C2 Identity admin.

To get to your User portal use the URL that the administrator will give you, but it will be something like this:

https://yourdomain.identity.eu.synologyc2.com

Once you log into your device with a valid C2 Identity account and visit the URL, you will land on a page similar to this:

C2 Identity User portal

Clicking the Edit button in the top right corner will allow you to edit some information.

On the second tab, called Security, you will have the option to change your password or activate 2FA.

Change you password or activate 2FA

Activate 2FA for your C2 Identity account

To begin activation of your 2-factor authentication, just click the Enable button. This will start the wizard process that will guide you along the way.

Start your 2FA activation process
Confirm your identity
Download Synology Secure SignIN
🗒️
NOTE: as indicated by the image above, Synology will push their Secure SignIn app as their preferred choice, but this is not needed to make this work. Alternative platforms just as Authy or Bitwarden will work just as well.

Scan or enter the code listed on the screen inside Secure SignIN or any other 2FA app
Confirm pairing by entering a one time 6-digit code from your 2FA app

Once you have completed the process, you can disable or reset the process using the User portal.

2FA activate (User portal view)
2FA status as viewed from the main C2 Identity dashboard

Logging into your device with a C2 Identity account with 2FA

Once you have 2FA active, logging into your account will require you to enter your 2FA code.

Enter your 6-digit 2FA code from the app you have configured

So far C2 Identity does not disappoint. Sync is instantaneous, and you can use both devices and users immediately.

Applications and SSO

The identity platform also allows for custom integrations for SSO (single sign-on) with 3rd party applications such as Google Workspace or Microsoft 365. In the paid tier, you will have options to use SAML 2.0 or OpenID Connect protocols as well as custom password-based login processes.

These features are still pending.

For now, regarding the free tier, you can integrate with Google Workspace and Microsoft 365.

Considering that I do not own any services on either of those platforms, I will not be demonstrating how those work with C2 Identity.

Edge servers

Finally, C2 Identity will offer 1 (in free tier) or up to 25 local LDAP nodes. Meaning, a local version of the C2 Identity replica server. It authenticates access to on-prem services regardless of whether they are connected to the Internet.

🗒️
NOTE: Edge server can and will authenticate your local requests if there is no Internet connection but it will not be able to sync to C2 Identity until the connection is restored! Also, your client need to be registered/joined with the edge server. More details here: What is C2 Identity Edge Server? - Synology Knowledge Center

For this purpose, Identity offers an Edge server feature. In the main dashboard, you can have the option to add multiple edge instances (depending on your tier).

Edge server in a form of Synology NAS, or a Docker container

The following are the mechanisms of the C2 Identity Edge Server:

  • Retrieve user and group data from C2 Identity: The agent keeps its directory up to date via LDAP communications. Any changes to C2 Identity's directory will be immediately synchronized with the agent.
  • Update information to C2 Identity: The agent sends information about the edge server to C2 Identity every 5 minutes (available on Synology NAS only).
  • Authenticate user access to LDAP clients: The agent provides offline LDAP authentication for devices that are joined to the edge server.

Here is the final response from Synology support on the matter:

However, building on this, the written info from a Q&A following the Synology 2022 Workshop states:

While a C2 Identity Edge Server can authenticate devices without an internet connection, synchronization tasks between C2 Identity and the Edge Server will need that connection. Here’s a little more detail about the mechanisms of C2 Identity Edge Servers.

As the link states, any client connected to the edge server will authenticate against it.

Synology C2 Identity Edge Server

If you decide to run your edge server on your Synology NAS there are a few things that need to be considered as prerequisites.

First off, supported models. At the time of writing this article, a compatible NAS for Edge Server role can be one of the following models:

  • FS series: FS6400, FS3600, FS3400, FS3017, FS2017, FS1018
  • SA series: SA3600, SA3400, SA3200D
  • 21 series: RS4021xs+, RS3621xs+, RS3621RPxs, RS2821RP+, RS2421RP+, RS2421+, RS1221RP+, RS1221+, DS1821+, DS1621xs+, DS1621+, DVA3221
  • 20 series: RS820RP+, RS820+, DS1520+, DS920+, DS720+, DS620slim, DS420+, DS220+
  • 19 series: RS1619xs+, RS1219+, DS2419+II, DS2419+, DS1819+, DS1019+, DVA3219
  • 18 series: RS3618xs, RS2818RP+, RS2418RP+, RS2418+, RS818RP+, RS818+, DS3018xs, DS1618+, DS918+, DS718+, DS418play, DS218+
  • 17 series: RS18017xs+, RS4017xs+, RS3617xs+, RS3617RPxs, RS3617xs, DS3617xsII, DS3617xs, DS1817+, DS1517+
  • 16 series: RS18016xs+, RS2416RP+, RS2416+, DS916+, DS716+II, DS716+, DS416play, DS216+II, DS216+
  • 15 series: RS815RP+, RS815+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, DS415+
  • 14 series: RS3614xs+, RS3614RPxs, RS3614xs, RS2414RP+, RS2414+, RS814RP+, RS814+
  • 13 series: RS10613xs+, RS3413xs+, DS2413+, DS1813+, DS1513+, DS713+

Second, your NAS has to run DSM 7.0.x or above.

On top of this, if you are already running Synology Directory Server or LDAP server packages, you will NOT be able to run the Edge Server package!

To begin the process, log into your NAS, open up the Package Center app, and install the C2 Identity Edge Server.

Install the Edge server package
This process will install the Docker package if you do not have it installed already, even if you haven't chosen the Docker edge server installation.

The first thing that you will need to configure or confirm is the edge server port that will be used by your local instance.

Configure edge port
Run the installation
C2 Identity Edge Server running

As expected, this edge server is actually running as a Docker container. By opening the Docker app on your NAS you can see that there is a running container called watchtower using synology/watchtower image.

The edge server is actually running as a Docker container

However, with CLI inspection we can see that there are two containers running.

Multiple Docker containers

The actual edge server is the synology/ldap-agent running on LDAP default 389 port and the 7712 (default install port) web UI portal port. Watchtower container is there to update and maintain the ldap-agent up-to-date.

The next step is to connect the edge server to the C2 Identity domain. By opening the C2 Identity Edge server icon from the DSM menu, it will load up a web page that will allow you to connect to your Identity domain.

🗒️
NOTE: the edge server will run on the custom port that you have configured in the installation, and the web UI will be accessible on your local NAS IP address running on that same port.

Time to connect your Identity domain with your local edge server

Be sure to enter the connect key value for your edge server that you can locate in your C2 Identity domain portal.

Copy the connect key value to the edge server web ui
Once connected, approve it in the admin web ui

When you open up your C2 Identity web portal, you will see all your edge servers as well as their status.

Approve the edge server

Use the dropdown menu on the far right side to approve the server, and then enter your main C2 Encryption Key that you have created once you created Synology Account/C2 profile.

Upon successful approval, you will have a Connected status confirmation in the browser and the admin portal.

Edge server approved

With this setup, you will be able to authenticate any on-premise resources to your C2 Identity domain, such as another Synology NAS for example or any other LDAP capable system.

🗒️
NOTE: First-time user log-on will have to be made against the C2 Identity cloud instance. So make sure that you have Internet connectivity at that time!

Conclusion

I have to say I am very pleased with the Identity platform so far. It works as advertised, there were no problems setting it up, and the configuration was straightforward.

The only "problem" that I might have with it is the lack of logs. Apart from some humble logs from the docker LDAP container, there are no logs in the web UI. Truth be told I didn't need access to them, but it would be good to have some logs from the admin side of things just in case.

All in all, a solid platform that Synology will undoubtedly expand on with more features, so let's see what this will bring in the future. For the time being, a free cloud-based identity platform that works, and is not complicated to set up or maintain, is welcome in this cloudification era ahead.