The final addition to the new lineup of C2 services is C2 Identity. What it is and how does it work will be the topic of this article, so let's dig in.
C2 Identity - one-stop hybrid identity management
I have mentioned this platform in my overview article "A Cloud for safe data", but we haven't had the chance to look deeper into what C2 Identity really is, how does it work, and how much does it (will) cost.
What is C2 Identity in a sentence then?
It is a platform that will allow you to centrally manage users, groups, workstations, and single sign-on (SSO) for Software as a Service (SaaS) applications across your entire organization.
Just like all the other C2 modules, Identity does not require you to own any Synology device to get it going. On top of that, it is completely running in the cloud (Synology C2 data center of your choice), and to begin with, it is free!
As you can see from the table above, it still has some features that are on the road map and almost all of them are supported in the free tier. True in a limited capacity when it comes to a number of devices that are supported, but still.
Synology is opening yet another door towards clients and users that want to have business tools that do not require them to own a Synology NAS, so alongside C2 Password, and Backup, Identity is the last in a line of new services that will elevate the whole C2 platform to a new level, and hopefully bring in some new customers.
With the upcoming new C2 data center in Taiwan (with Frankfurt and Seattle already running for years), Synology has covered all of the major parts of the world and is ready to offer everyone their services.
Should I use it considering it's free?
There is nothing that is free, people say, and should you be using a user management platform that might stop one day and leave you locked out? Well until cloud providers started to be a big deal, you had to run all on-premise. Today, things are changing and it's becoming easier and cheaper to run some services as SaaS from the cloud than on-premise.
Should you do it? Well, that depends. If you need this type of service for example and do not have room to house a server, have people running and maintaining the service, maybe it is better to have a solution hosted in the cloud than to mess about with it on-premise.
Just a quick example would be Office 365. Today for a fraction of the retail price of the same product you can get 5 licenses for all your devices and some cloud space for data. No wonder, O365 is popular. The same principle applies to other SaaS platforms so why not an identity one?
In my humble opinion for a small team/firm, this kind of platform might be just the right thing to have all your user and device management needs in order.
Registering your C2 Identity domain
Let's see what you need to do in order to get this platform up and running. The first thing you will need is a valid Synology Account. In order to register your Identity domain, it needs to be registered to a specific account. So make sure to make your account (it's free), before you start your configuration. If you don't have it you will be required to make one when you visit the C2 Identity main page.
It all starts here https://c2.synology.com/en-us/identity/overview
Once you log into C2 portal with your Synology Account you will be able to start creating your Identity domain.
The first thing out the door is the subscription and data center choice. As you can see in the image above, you will have the option to choose from two current data centers and a single subscription tier.
Already in the next step, you will have the option to enter your domain name that will eventually be created and used as your identity URL for your devices and clients.
Once completed, you will land on your C2 Identity dashboard.
Configuring and managing C2 Identity
Add device you want to manage
With the use of the C2 Identity agent (macOS or Windows) installed on your computer, it will become a valid device of your C2 Identity domain, that your users can use to authenticate against it.
To get that going, simply log into the portal, and download the agent from the Managed Device section.
Once downloaded, install it on your computer and connect it with the key from step 03 of the wizard (above).
NOTE: In case you are unable to download the agent using the buttons in the dialog box you can download them here: https://archive.synology.com/download/Utility/C2IdentityAgent
Be sure to enter your C2 Identity connect key accessible and visible in the web portal.
Once the installation is complete, reboot the machine. Make sure to complete the process by approving the device registration on the admin portal before any further management.
Once rebooted, your users will have the option to log in using C2 Identity.
That's it! Now you have a device that is connected to your C2 Identity domain and users can use it to log on to the device.
Adding users and groups
Now that we have a machine added it is time to add some users and groups that can actually use those. The process is simple. There are multiple ways to add accounts. You can add them individually or in bulk using a CSV file or an existing directory server.
To start, simply go to the User section of the portal and click the Add User Manually or the green Import Users/Groups button/menu.
For this example, I will use an individual method, but in case you decide to use a bulk import, you can download a compatible CSV file that you can use to upload your user list.
Adding a user requires several mandatory fields to be populated such as username and email.
In the next step, you will have the option to select a password activation method.
Depending on the selected option, the screen will change. In this case, I will choose to manually specify a password, and send it to the user.
After that, your account will be configured and ready to use.
NOTE: By default all users and devices are members of the Everyone group, so keep that in mind if you want to fine tune access for specific user towards a specific device!
C2 Identity User portal
Once you get going with your C2 Identity platform, the final notification that you will get is the link to your C2 Identity User portal. If you recall, at the start of the process you needed to register your domain with C2 Identity. In return, your user will now (once logged in with a C2 Identity account) be able to change their own settings such as an address, phone numbers, birthday, as well as security features like 2FA, and password reset without the need to bother C2 Identity admin.
To get to your User portal use the URL that the administrator will give you, but it will be something like this:
Once you log into your device with a valid C2 Identity account and visit the URL, you will land on a page similar to this:
Clicking the Edit button in the top right corner will allow you to edit some information.
On the second tab, called Security, you will have the option to change your password or activate 2FA.
Activate 2FA for your C2 Identity account
To begin activation of your 2-factor authentication, just click the Enable button. This will start the wizard process that will guide you along the way.
NOTE: as indicated by the image above, Synology will push their Secure SignIn app as their preferred choice, but this is not needed to make this work. Alternative platforms just as Authy or Bitwarden will work just as well.
Once you have completed the process, you can disable or reset the process using the User portal.
Logging into your device with a C2 Identity account with 2FA
Once you have 2FA active, logging into your account will require you to enter your 2FA code.
So far C2 Identity does not disappoint. Sync is instantaneous, and you can use both devices and users immediately.
Applications and SSO
The identity platform also allows for custom integrations for SSO (single sign-on) with 3rd party applications such as Google Workspace or Microsoft 365. In the paid tier, you will have options to use SAML 2.0 or OpenID Connect protocols as well as custom password-based login processes.
These features are still pending.
For now, regarding the free tier, you can integrate with Google Workspace and Microsoft 365.
Considering that I do not own any services on either of those platforms, I will not be demonstrating how those work with C2 Identity.
Finally, C2 Identity will offer 1 (in free tier) or up to 25 local LDAP nodes. Meaning, a local version of the C2 Identity replica server. It authenticates access to on-prem services regardless of whether they are connected to the Internet.
For this purpose, Identity offers an Edge server feature. In the main dashboard, you can have the option to add multiple edge instances (depending on your tier).
The following are the mechanisms of the C2 Identity Edge Server:
- Retrieve user and group data from C2 Identity: The agent keeps its directory up to date via LDAP communications. Any changes to C2 Identity's directory will be immediately synchronized with the agent.
- Update information to C2 Identity: The agent sends information about the edge server to C2 Identity every 5 minutes (available on Synology NAS only).
- Authenticate user access to LDAP clients: The agent provides offline LDAP authentication for devices that are joined to the edge server.
WARNING: reading the second bullet point above and verifying it with Synology support, you will not be able to use C2 Identity without Internet access!
Here is the final response from Synology support on the matter:
Synology C2 Identity Edge Server
If you decide to run your edge server on your Synology NAS there are a few things that need to be considered as prerequisites.
First off, supported models. At the time of writing this article, a compatible NAS for Edge Server role can be one of the following models:
- FS series: FS6400, FS3600, FS3400, FS3017, FS2017, FS1018
- SA series: SA3600, SA3400, SA3200D
- 21 series: RS4021xs+, RS3621xs+, RS3621RPxs, RS2821RP+, RS2421RP+, RS2421+, RS1221RP+, RS1221+, DS1821+, DS1621xs+, DS1621+, DVA3221
- 20 series: RS820RP+, RS820+, DS1520+, DS920+, DS720+, DS620slim, DS420+, DS220+
- 19 series: RS1619xs+, RS1219+, DS2419+II, DS2419+, DS1819+, DS1019+, DVA3219
- 18 series: RS3618xs, RS2818RP+, RS2418RP+, RS2418+, RS818RP+, RS818+, DS3018xs, DS1618+, DS918+, DS718+, DS418play, DS218+
- 17 series: RS18017xs+, RS4017xs+, RS3617xs+, RS3617RPxs, RS3617xs, DS3617xsII, DS3617xs, DS1817+, DS1517+
- 16 series: RS18016xs+, RS2416RP+, RS2416+, DS916+, DS716+II, DS716+, DS416play, DS216+II, DS216+
- 15 series: RS815RP+, RS815+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, DS415+
- 14 series: RS3614xs+, RS3614RPxs, RS3614xs, RS2414RP+, RS2414+, RS814RP+, RS814+
- 13 series: RS10613xs+, RS3413xs+, DS2413+, DS1813+, DS1513+, DS713+
Second, your NAS has to run DSM 7.0.x or above.
On top of this, if you are already running Synology Directory Server or LDAP server packages, you will NOT be able to run the Edge Server package!
To begin the process, log into your NAS, open up the Package Center app, and install the C2 Identity Edge Server.
This process will install the Docker package if you do not have it installed already, even if you haven't chosen the Docker edge server installation.
The first thing that you will need to configure or confirm is the edge server port that will be used by your local instance.
As expected, this edge server is actually running as a Docker container. By opening the Docker app on your NAS you can see that there is a running container called watchtower using synology/watchtower image.
However, with CLI inspection we can see that there are two containers running.
The actual edge server is the synology/ldap-agent running on LDAP default 389 port and the 7712 (default install port) web UI portal port. Watchtower container is there to update and maintain the ldap-agent up-to-date.
The next step is to connect the edge server to the C2 Identity domain. By opening the C2 Identity Edge server icon from the DSM menu, it will load up a web page that will allow you to connect to your Identity domain.
NOTE: the edge server will run on the custom port that you have configured in the installation, and the web UI will be accessible on your local NAS IP address running on that same port.
Be sure to enter the connect key value for your edge server that you can locate in your C2 Identity domain portal.
When you open up your C2 Identity web portal, you will see all your edge servers as well as their status.
Use the dropdown menu on the far right side to approve the server, and then enter your main C2 Encryption Key that you have created once you created Synology Account/C2 profile.
Upon successful approval, you will have a Connected status confirmation in the browser and the admin portal.
With this setup, you will be able to authenticate any on-premise resources to your C2 Identity domain, such as another Synology NAS for example or any other LDAP capable system.
NOTE: First-time user log-on will have to be made against the C2 Identity cloud instance. So make sure that you have Internet connectivity at that time! You will not be able to use your local edge server even if the user is already synced on-premise.
I have to say I am very pleased with the Identity platform so far. It works as advertised, there were no problems setting it up, and the configuration was straightforward.
The only "problem" that I might have with it is the lack of logs. Apart from some humble logs from the docker LDAP container, there are no logs in the web UI. Truth be told I didn't need access to them, but it would be good to have some logs from the admin side of things just in case.
All in all, a solid platform that Synology will undoubtedly expand on with more features, so let's see what this will bring in the future. For the time being, a free cloud-based identity platform that works, and is not complicated to set up or maintain, is welcome in this cloudification era ahead.