{"id":1169,"date":"2024-01-04T16:07:40","date_gmt":"2024-01-04T15:07:40","guid":{"rendered":"https:\/\/chochol.io\/smart-home\/authentik-single-sign-on-configuration-for-synology-dsm\/"},"modified":"2025-08-23T19:53:05","modified_gmt":"2025-08-23T17:53:05","slug":"authentik-single-sign-on-configuration-for-synology-dsm","status":"publish","type":"post","link":"https:\/\/chochol.io\/en\/software\/authentik-single-sign-on-configuration-for-synology-dsm\/","title":{"rendered":"Authentik: Single Sign-On Configuration for Synology DSM"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"1169\" class=\"elementor elementor-1169 elementor-923\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1d2eeca e-flex e-con-boxed e-con e-parent\" data-id=\"1d2eeca\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e0b1db0 elementor-toc--minimized-on-tablet elementor-widget elementor-widget-table-of-contents\" data-id=\"e0b1db0\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;exclude_headings_by_selector&quot;:[],&quot;no_headings_message&quot;:&quot;No headings were found on this page.&quot;,&quot;headings_by_tags&quot;:[&quot;h2&quot;,&quot;h3&quot;,&quot;h4&quot;,&quot;h5&quot;,&quot;h6&quot;],&quot;marker_view&quot;:&quot;numbers&quot;,&quot;minimize_box&quot;:&quot;yes&quot;,&quot;minimized_on&quot;:&quot;tablet&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-toc__header\">\n\t\t\t\t\t\t<div class=\"elementor-toc__header-title\">\n\t\t\t\tTable of contents\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-toc__toggle-button elementor-toc__toggle-button--expand\" role=\"button\" tabindex=\"0\" aria-controls=\"elementor-toc__e0b1db0\" aria-expanded=\"true\" aria-label=\"Open table of contents\"><svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-chevron-down\" viewBox=\"0 0 448 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z\"><\/path><\/svg><\/div>\n\t\t\t\t<div class=\"elementor-toc__toggle-button elementor-toc__toggle-button--collapse\" role=\"button\" tabindex=\"0\" aria-controls=\"elementor-toc__e0b1db0\" aria-expanded=\"true\" aria-label=\"Close table of contents\"><svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-chevron-up\" viewBox=\"0 0 448 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z\"><\/path><\/svg><\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<div id=\"elementor-toc__e0b1db0\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<svg class=\"elementor-toc__spinner eicon-animation-spin e-font-icon-svg e-eicon-loading\" aria-hidden=\"true\" viewBox=\"0 0 1000 1000\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M500 975V858C696 858 858 696 858 500S696 142 500 142 142 304 142 500H25C25 237 238 25 500 25S975 237 975 500 763 975 500 975Z\"><\/path><\/svg>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8c2fae5 elementor-widget elementor-widget-text-editor\" data-id=\"8c2fae5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Hello!<\/h2><p>Today I&#8217;ll walk you through the steps of setting up a single sign-on (SSO) service between the Synology server and Authentik.<\/p><h3>What is Synology DSM?<\/h3><p><img decoding=\"async\" class=\"alignleft\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/synology.png\" alt=\"Icon: Synology DSM\" width=\"155\" height=\"155\" \/><strong>Synology DiskStation Manager<\/strong> is an operating system developed by Synology Inc. Specifically designed to run on their NAS servers. DSM offers an intuitive and integrated environment for data management, file sharing, backup, and support for a variety of applications.<\/p><p>\u00a0<\/p><h3>\u00a0<\/h3><h3>What is Authentik?<\/h3><p><img decoding=\"async\" class=\"alignleft wp-image-518\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-300x230.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-300x230.png 300w, https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-1024x784.png 1024w, https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-768x588.png 768w, https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-1536x1175.png 1536w, https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-330x250.png 330w, https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov.png 2048w\" alt=\"\" width=\"150\" height=\"115\"><strong>Authentik<\/strong> is also an open-source tool that acts as an Identity Provider. Similar commercial services, such as Okta or One Login, are already operating in the market. As for similar open-source tools, on the other hand, you can mention the likes of Keycloak and Authelia.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dd7d5c8 elementor-alert-info elementor-widget elementor-widget-alert\" data-id=\"dd7d5c8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"alert.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-alert\" role=\"alert\">\n\n\t\t\t\t\t\t<span class=\"elementor-alert-title\">Information<\/span>\n\t\t\t\n\t\t\t\t\t\t<span class=\"elementor-alert-description\"><p>The following tutorial was developed using versions: Synology DSM 7.2.1-69057 Update 3 and Authentik 2023.10.5<\/p>\n<\/span>\n\t\t\t\n\t\t\t\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-17eaa96 elementor-widget elementor-widget-text-editor\" data-id=\"17eaa96\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Preparation<\/h2><p>For the purpose of preparing the tutorial, we will adopt the domain names and identifiers described below. During setup, adjust the settings according to your needs.<\/p><ul><li>Full domain name (FQDN) of Synology DSM: <strong>https:\/\/dsm.xyz.com<\/strong><\/li><li>Full domain name (FQDN) Portainer: <strong>https:\/\/auth.xyz.com<\/strong><\/li><\/ul><h2>Introduction to the guide<\/h2><h3>New system &#8211; new functionalities<\/h3><p>Synology, with the introduction of <strong>DSM<\/strong> version <strong>7.0<\/strong> of its <strong>DiskStation Manager<\/strong> system, has opened up new possibilities for logging in via identity providers using the <strong>OpenID Connect<\/strong> protocol. Originally, the feature was only available for single sign-on via Azure Active Directory from Microsoft or IBM WebSphere Application Server. In addition, full use of the single sign-on feature required that the identity provider&#8217;s server be connected to Synology via LDAP or Active Directory.<\/p><p>With the release of <strong>DSM 7.2<\/strong>, Synology introduced four single sign-on protocols: <strong>OpenID Connect, SAML, CAS<\/strong> and <strong>Synology&#8217;s proprietary SSO<\/strong>. What&#8217;s more, user data no longer needs to be retrieved from LDAP\/AD &#8211; it is now identified locally.<\/p><p>The following tutorial will focus on Single Sign-On implementation using <strong>OpenID Connect<\/strong> and <strong>local users<\/strong>.<\/p><h3>What about devices based on DSM 7.1?<\/h3><p>Many users may still be using a DSM 7.1-based system due to the age of their device, which will no longer receive the DSM 7.2 upgrade. In the case of identity provider Authentik, connection via OpenID Connect + LDAP is currently impossible, according to information available as of the date of writing. On the Github platform, there are open reports of problems regarding difficulties in connecting Authentik to a Synology device using the LDAP protocol.<\/p><p>In the near future, I plan to prepare two articles outlining ways around this problem, based on two scenarios. The first involves an existing Synology device in our home lab with DSM 7.2 installed, while the second suggests using the SSO Server application from Synology.<\/p><h3>What is OpenID Connect?<\/h3><p>The OpenID Connect (OIDC) protocol is an authentication layer based on the OAuth 2.0 protocol that enables secure authentication and acquisition of user identity information in web applications. Below are the key elements that describe how OpenID Connect works:<\/p><ul><li><strong>OAuth 2.0 authentication:<\/strong> OpenID Connect uses the OAuth 2.0 protocol as the basis for authentication. OAuth 2.0 allows applications to access resources on behalf of the user, and OpenID Connect extends this protocol with an authentication layer.<\/li><li><strong>Issuing Tokens:<\/strong> Once a user is successfully authenticated, he or she gets tokens that contain identity information. These are typically:<ul><li><strong>ID Token:<\/strong> Contains basic information about the user, such as ID, first name, last name, etc.<\/li><li><strong>Access Token:<\/strong> Allows access to protected resources on behalf of the user.<\/li><li><strong>Refresh Token:<\/strong> It is used to refresh or obtain new tokens after expiration.<\/li><\/ul><\/li><li><strong>JSON Web Tokens (JWT):<\/strong> The information sent in the tokens is often encoded in the JSON form of Web Tokens, which keeps them concise and secure.<\/li><li><strong>End-User Authentication:<\/strong> OpenID Connect supports various methods of user authentication, such as password login, multi-factor authentication or even third-party identity providers.<\/li><li><strong>Configuration Information:<\/strong> The identifiers and information necessary to authorize and receive tokens are obtained from the configuration document, which is usually available at a fixed URL.<\/li><li><strong>Security over TLS:<\/strong> Communication between the client and the identity provider, as well as between the provider and the resource server, should take place over a secure TLS (HTTPS) connection.<\/li><\/ul><p>In summary, OpenID Connect facilitates secure and efficient authentication of users in web applications, while allowing users to acquire their identity information through tokens.<\/p><h3>Operation of OpenID Connect<\/h3><p>The process of the OpenID Connect (OIDC) protocol can be divided into several steps. Below you will find a general description of the steps involved in this process:<\/p><ul><li><strong>Initiate Authorization Request:<\/strong><ul><li>The user wants to log into the application, supporting OpenID Connect.<\/li><li>The application directs it to the identity provider (IdP) with an authorization request.<\/li><li>This request contains the ranges (scopes) of access that the application wants, and information about what actions are required after the authorization is completed.<\/li><\/ul><\/li><li><strong>User Authentication (Authentication):<\/strong><ul><li>The identity provider authorizes the user.<\/li><li>If the user is not logged in, they may be asked for their credentials.<\/li><\/ul><\/li><li><strong>Redirection Back:<\/strong><ul><li>Once the user is successfully authenticated, the identity provider redirects the user back to the application while providing an authorization code.<\/li><\/ul><\/li><li><strong>Code-to-Token Exchange (Token Exchange):<\/strong><ul><li>The application sends the received authorization code back to the identity provider.<\/li><li>In return, it receives a set of tokens, such as an ID Token, Access Token and possibly a Refresh Token.<\/li><\/ul><\/li><li><strong>Use of Tokens (Access Resources):<\/strong><ul><li>The application uses the received Access Token to access protected resources on behalf of the user.<\/li><li>Access to resources can be limited by the access range specified in the token.<\/li><\/ul><\/li><li><strong>Token Verification:<\/strong><ul><li>The application verifies the validity of the received tokens, especially the ID Token, which contains information about the user&#8217;s identity.<\/li><li>Verification may include checking the token&#8217;s signature, its validity and compliance with authorization requests.<\/li><\/ul><\/li><li><strong>Token Refresh:<\/strong><ul><li>If Refresh Token is used, the application can refresh its tokens without having to re-authenticate the user.<\/li><\/ul><\/li><\/ul><h2>Step 1 &#8211; Configure Nginx Proxy Manager in the Porter<\/h2><p>Before you start implementing Single Sign-On on Synology with Authentik, make sure your Nginx Proxy Manager is configured. Not sure how to do it? Take it easy! In my latest article, you&#8217;ll find a quick step-by-step guide on how to do this using Docker Compose in the Porter.<\/p><p>\ud83d\udc49 <a href=\"https:\/\/chochol.io\/en\/hardware\/synology-free-ports-80-443-for-nginx-proxy-manager\/\" target=\"_new\">Check out step 1<\/a> now and get your environment ready for more reinforcements!<\/p><h2>Step 2 &#8211; Configure Single Sign-On in the Porter<\/h2><p>Do you already know how to make logging into Portainer simultaneous and seamless with Single Sign-On? If not, it&#8217;s time to change that! In my latest step-by-step tutorial, you&#8217;ll learn how to set up SSO using Authentik and Portainer.<\/p><p>\ud83d\udc49 <a href=\"https:\/\/chochol.io\/en\/software\/authentik-single-sign-on-configuration-for-portainer\/\" target=\"_new\">Visit step 2<\/a> now and get easier access to your Docker environment!<\/p><h2>Step 3 &#8211; Configuration in Authentik<\/h2><ul><li>Log in to your account and go to the administration interface,<\/li><li>After successfully logging into the administrative interface, go to the <strong>Applications<\/strong> tab on the left side of the screen, and then select <strong>Providers<\/strong>.<\/li><\/ul><p><img decoding=\"async\" class=\"aligncenter\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAASIAAACqCAYAAAAJKkK3AAAKqmlDQ1BJQ0MgUHJvZmlsZQAASImVlgdQk9kWx+\/3pYeEAKFLCb1JbwGkhB5A6VVUQhIglBACQcWuLK7giiIiTVnQRREFV6XIKioWLIiAAvYFWQTUdbEgKirvA4bg7pv33rwzc7\/7m\/Od+7\/n3Ll35gBAJrEEgmRYCoAUfoYwyMuVFhEZRcONABKQAhDyVWKx0wWMgAA\/gNj8\/Hf70IdEInbXeEbr3\/\/\/V5PmcNPZAEABCMdy0tkpCJ9BxnO2QJgBAKoc8WutzhDM8EWEZYVIggjfm+H4OR6d4dg5\/jIbExLkBgAaqQpPYrGE8QCQVBA\/LZMdj+iQliBsxufw+AjP5OuUkpLKQfg4wvpIjADhGX167Hc68X\/TjBVrsljxYp6rZdbw7rx0QTJr7f95HP\/bUpJF83voIoOUIPQOQmZJ5MzuJ6X6ipkfu8x\/nnmc2fhZThB5h84zO90tap45LHdf8drkZX7zHMfzZIp1Mpgh88xN9wieZ2FqkHivOKEbY55ZwoV9RUmhYn8ClynWz0oICZ\/nTF7YsnlOTwr2XYhxE\/uFoiBx\/ly+l+vCvp7i2lPSv6uXxxSvzUgI8RbXzlrIn8tnLGimR4hz43DdPRZiQsXxggxX8V6C5ABxPDfZS+xPzwwWr81ALuTC2gDxGSayfALmGQQAC2AFEoAxMiOKGdw1GTNFuKUK1gp58QkZNAbyurg0Jp9tsphmYWZhCcDMW527Cu+CZt8gJN+64Es9jFzhD8ib2LPgiy0EoCkHAMWHCz7tgwBQsgFobGOLhJlzPvTMBwOIgAJkgRJQA1pAfzYzG+AAXIAH8AH+IAREgpWAjeScAoRgNVgPtoAckAd2g32gFFSAQ+AoOAFOgSZwDlwC18At0AV6wSMwAIbBSzAOPoApCIJwEBmiQkqQOqQDGUEWEB1ygjwgPygIioRioHiID4mg9dA2KA8qgEqhSqgG+hU6C12CbkDd0ANoEBqD3kKfYRRMgmVhVVgXNoXpMAP2hUPgFXA8nAZnwdnwLrgYroKPw43wJfgW3AsPwC\/hCRRASaDkURooYxQd5YbyR0Wh4lBC1EZULqoIVYWqQ7Wg2lF3UQOoV6hPaCyaiqahjdEOaG90KJqNTkNvRO9El6KPohvRV9B30YPocfQ3DBmjgjHC2GOYmAhMPGY1JgdThKnGNGCuYnoxw5gPWCxWHquHtcV6YyOxidh12J3YA9h67EVsN3YIO4HD4ZRwRjhHnD+OhcvA5eBKcMdxF3A9uGHcR7wEXh1vgffER+H5+K34IvwxfCu+Bz+CnyJIEXQI9gR\/AoewlpBPOExoIdwhDBOmiNJEPaIjMYSYSNxCLCbWEa8SHxPfSUhIaErYSQRK8CQ2SxRLnJS4LjEo8YkkQzIkuZGiSSLSLtIR0kXSA9I7MpmsS3YhR5EzyLvINeTL5Kfkj5JUSRNJpiRHcpNkmWSjZI\/kawqBokNhUFZSsihFlNOUO5RXUgQpXSk3KZbURqkyqbNS\/VIT0lRpc2l\/6RTpndLHpG9Ij8rgZHRlPGQ4Mtkyh2QuywxRUVQtqhuVTd1GPUy9Sh2WxcrqyTJlE2XzZE\/IdsqOy8nIWcmFya2RK5M7Lzcgj5LXlWfKJ8vny5+S75P\/rKCqwFDgKuxQqFPoUZhUXKTooshVzFWsV+xV\/KxEU\/JQSlLao9Sk9EQZrWyoHKi8Wvmg8lXlV4tkFzksYi\/KXXRq0UMVWMVQJUhlncohlQ6VCVU1VS9VgWqJ6mXVV2ryai5qiWqFaq1qY+pUdSd1nnqh+gX1FzQ5GoOWTCumXaGNa6hoeGuINCo1OjWmNPU0QzW3atZrPtEiatG14rQKtdq0xrXVtZdqr9eu1X6oQ9Ch6yTo7Ndp15nU1dMN192u26Q7qqeox9TL0qvVe6xP1nfWT9Ov0r9ngDWgGyQZHDDoMoQNrQ0TDMsM7xjBRjZGPKMDRt2LMYvtFvMXVy3uNyYZM4wzjWuNB03kTfxMtpo0mbw21TaNMt1j2m76zczaLNnssNkjcxlzH\/Ot5i3mby0MLdgWZRb3LMmWnpabLJst31gZWXGtDlrdt6ZaL7Xebt1m\/dXG1kZoU2czZqttG2NbbttPl6UH0HfSr9th7FztNtmds\/tkb2OfYX\/K\/i8HY4ckh2MOo0v0lnCXHF4y5KjpyHKsdBxwojnFOP3sNOCs4cxyrnJ+5qLlwnGpdhlhGDASGccZr13NXIWuDa6TbvZuG9wuuqPcvdxz3Ts9ZDxCPUo9nnpqesZ71nqOe1l7rfO66I3x9vXe493PVGWymTXMcR9bnw0+V3xJvsG+pb7P\/Az9hH4tS+GlPkv3Ln28TGcZf1mTP\/Bn+u\/1fxKgF5AW8FsgNjAgsCzweZB50Pqg9mBq8KrgY8EfQlxD8kMeheqHikLbwihh0WE1YZPh7uEF4QMRphEbIm5FKkfyIpujcFFhUdVRE8s9lu9bPhxtHZ0T3bdCb8WaFTdWKq9MXnl+FWUVa9XpGExMeMyxmC8sf1YVayKWGVseO852Y+9nv+S4cAo5Y1xHbgF3JM4xriBuNN4xfm\/8WIJzQlHCK54br5T3JtE7sSJxMsk\/6UjSdHJ4cn0KPiUm5Sxfhp\/Ev5KqlromtVtgJMgRDKTZp+1LGxf6CqvTofQV6c0ZskhT1CHSF\/0gGsx0yizL\/Lg6bPXpNdJr+Gs61hqu3bF2JMsz65d16HXsdW3rNdZvWT+4gbGhciO0MXZj2yatTdmbhjd7bT66hbglacvtrWZbC7a+3xa+rSVbNXtz9tAPXj\/U5kjmCHP6tztsr\/gR\/SPvx84dljtKdnzL5eTezDPLK8r7spO98+ZP5j8V\/zS9K25XZ75N\/sHd2N383X17nPccLZAuyCoY2rt0b2MhrTC38P2+VftuFFkVVewn7hftHyj2K24u0S7ZXfKlNKG0t8y1rL5cpXxH+eQBzoGegy4H6ypUK\/IqPv\/M+\/l+pVdlY5VuVdEh7KHMQ88Phx1u\/4X+S021cnVe9dcj\/CMDR4OOXqmxrak5pnIsvxauFdWOHY8+3nXC\/URznXFdZb18fd5JcFJ08sWvMb\/2nfI91XaafrrujM6Z8gZqQ24j1Li2cbwpoWmgObK5+6zP2bYWh5aG30x+O3JO41zZebnz+a3E1uzW6QtZFyYuCi6+uhR\/aahtVdujyxGX710JvNJ51ffq9Wue1y63M9ovXHe8fu6G\/Y2zN+k3m27Z3GrssO5ouG19u6HTprPxju2d5i67rpbuJd2tPc49l+663712j3nvVu+y3u6+0L77\/dH9A\/c590cfJD948zDz4dSjzY8xj3OfSD0peqrytOp3g9\/rB2wGzg+6D3Y8C372aIg99PKP9D++DGc\/Jz8vGlEfqRm1GD035jnW9WL5i+GXgpdTr3L+lP6z\/LX+6zN\/ufzVMR4xPvxG+Gb67c53Su+OvLd63zYRMPH0Q8qHqcncj0ofj36if2r\/HP55ZGr1F9yX4q8GX1u++X57PJ0yPS1gCVmzrQAKGXBcHABvjwBAjgSA2gUAcflcLz1r0Fz\/P0vgP\/Fcvz1rNgAc6gcgZB0AfrcBKClFWllEnxINQAAF8TsA2NJSPOb73tkefcbM6pA+5pSdravtk\/0NNPAPm+vfv8v7nzOYUbUC\/5z\/Ba55BwHUrL8\/AAAAYmVYSWZNTQAqAAAACAACARIAAwAAAAEAAQAAh2kABAAAAAEAAAAmAAAAAAADkoYABwAAABIAAABQoAIABAAAAAEAAAEioAMABAAAAAEAAACqAAAAAEFTQ0lJAAAAU2NyZWVuc2hvdKWlBikAAAI9aVRYdFhNTDpjb20uYWRvYmUueG1wAAAAAAA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJYTVAgQ29yZSA2LjAuMCI+CiAgIDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+CiAgICAgIDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCiAgICAgICAgICAgIHhtbG5zOmV4aWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vZXhpZi8xLjAvIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWURpbWVuc2lvbj4xNzA8L2V4aWY6UGl4ZWxZRGltZW5zaW9uPgogICAgICAgICA8ZXhpZjpVc2VyQ29tbWVudD5TY3JlZW5zaG90PC9leGlmOlVzZXJDb21tZW50PgogICAgICAgICA8ZXhpZjpQaXhlbFhEaW1lbnNpb24+MjkwPC9leGlmOlBpeGVsWERpbWVuc2lvbj4KICAgICAgICAgPHRpZmY6T3JpZW50YXRpb24+MTwvdGlmZjpPcmllbnRhdGlvbj4KICAgICAgPC9yZGY6RGVzY3JpcHRpb24+CiAgIDwvcmRmOlJERj4KPC94OnhtcG1ldGE+CuZjdgkAACGpSURBVHgB7Z0HXBTHF8d\/VLtg7wgxFlRssXejMfZeELvGkmKMvSu22MWu2LsUEdG\/Bey9V+yoWGLEFlGxoeB\/3pA9Fzz1gDuOu7zJ57jZ2Zk3s9\/lfrz3Zs1Z5HZw+gAuTIAJMAEjEHj\/7q2c1dIIc\/OUTIAJMIFYBKwdnZxiNfABE2ACTCCpCFy\/dkVOZX0rNDSp5uR5mAATYAJaCXBophULNzIBJpCUBFiIkpI2z8UEmIBWAixEWrFwIxNgAklJgIUoKWnzXEyACWglwEKkFQs3MgEmkJQEWIiSkjbPxQSYgFYCLERasXAjE2ACSUmAhSgpafNcTIAJaCXAQqQVCzcyASaQlARYiJKSNs\/FBJiAVgJmJ0Tp06dHzpw5tF4sNzIBJpA8CSSZEI0d447ly5agdu0fDEYiTZrUuHD+DPr37SPncG3dCsePHsYPP9Qy2JxkOKnmMehFsHEmYEQCSSJE3+bLh04dO6Dm9zXwc8\/uBrtcC4j\/LCzw4d\/\/w1Lhws7IkSM7ChUsoLc5y5QpjQXz54KuSSmGmEexze9MwFgEUqRI8cWpU6ZM+cXz8TmZJELUxrW1Zk2lv\/sO3377rebYkJUJEyejdp16WOC5SG\/TfFeqFOrXq4t06dNpbBpiHo1xrjABIxCoWKECzp4+gRXLl0KbIFWvVg3nz56C54J5sLa2TvQKDS5ENjY2aNGiOZ48+QfDR4ySC1YLU9wrsLS0hK2tbdzmT451UePXr1\/j8uUrePfu3SfjU6VKBQrltBXyqjJnygQrKyttpz9p+9I8GTJkAF3TlwrdSMptfa7Y29vrxORz47mdCcSXwIABfZE2bVp8X6M6lizyjCVGJEJLFnuCPkP16tZBhQrl42v+k\/5f\/oR80j3+DXXq\/IiMGTMgYNMm+G8MQGRkJJo3awoSKKXMmzsbG\/3XY\/y4MThz6gSuXbmIDet9UK5cWaULmjZpjHNnTsFj+lTs2RWEkKuXcHD\/XvTo3u2zH3RlTOVKFTV2ihcvBq91a3DpwjlcDD6HLZsD0LBhA3me\/gosW7oYly6exxnx1+Dq5QuY4TENJHp2dnZy\/r59esu+a1atkMcdO7TXrE2ZhwSsW7euOHRgr\/yrce7MSUyeNAEkKEqha6ZrHO0+Uva5GHwWO4O2w8WlqNJFhrJHDh9A8LnTuHIpGH6+3tIb03TgChMwEIGpU6fjzZs30nq1alU1YqSIkOIs7Ny5C0eOHE30KgwuRG5tXOUi\/Tb44\/nz5wjasROZMmVEbVUCOX26dKCQp5EQhGPHj+P69RugXIyP11pUqVxJjqcLJ0Fr0bwZQkNv4fjxE8iVKxeGDxuCcWNHawWhjLGxifGwypYtgwB\/P5QXArdt23b4+fnDwSEP5s2ZhRIlistXqZIl4b9hI+bNX4Dbt+9I0WzcqCHevn2L5StW4uTJU3Kuw4ePyOOgHTukt0JrU+ah9YwcPgxRUdFYuGgJLly8BPICaW7Fk6NrpmusW6cOfHzX44SwW1DksiipTyVz5syYPWsGbIVgz523AEuWLoOTkyNGjBims6dGdrgwgYQQOCR+vzt17hpLjHy910lPSC1C3Xv+gvfv3ydkilhjEh\/cxTIX+yBvXgdUqlhBCMt1nD8fLE\/6+W1Ag\/r15Adzy9ZtmgEUPtWp2wD3\/v5btpE3M2umB4YMGYQD9Rtp+o0cNRrLlq+Qx1mzZhVexDa0a+sGz4WL8OTxE00\/bZVRI4ZL76l9x87Yt2+\/7JJlchY4OxfC2bPncO7cecxf4CmS3THZ7qXLVuDYkYNo3aolvH184TFjJnr26I4qVSpjrhCqM2fOfjKNk5OjXM+DBw9Qp14DvHr1SvaZI0SlceNGaOvWRooKNdINbNKsOf7++77sQ14hCXL+\/Plhb5ce6YRY7RB\/caZOmyb6Rol3DxlORkVFyf78gwkYkoAiRrTbTX9AS5YsoZmOPCESIW1pD02neFQM6hG1cXWVu1jkuWzauEG++vb9Qy6PPsy5cubULJUuSBEhagzYtBn374fBuZBzrDDu1q3bmjEPHz7EBv+Nco5ixYpp2rVVSMULFy4sPRpFhKjfo0ePsH\/\/ATmEdth++\/VnrPfxQuC2LRgvPBsKs+zt7bSZ1NpWsEBB2b4xYJNGhKhh1Zq1sp1CQ6VQmKqIELVt3bpdnsqeLStOnT4DutZmTZuIpOFJeHutQa\/fftF4XYoNfmcChiSgiJESptFc+hYhsmkwIbK2tkKrls2lYlJYdvHSJfkir+PEiZPSM2nduiWtQWshryT6Q7Q8R8njz5Xo6Bjv5Ut91GPz5MmtNbQhwVksknID+vfD4ydPEBgUJOb\/9zkAtQEd63G9lmgdvBhKeislOjpa7vgNHDQE27YHIosI1Xr\/3gubA\/zFLoVuSXTFFr8zgcQQUMTo5ctXCAwM0qsnpKzLYKFZrZq1kCVLFvxvy1YMGTpcmU++Ozrmxf69u9FKhDwzZs6WbZS8zp49O8LCwuQxPXNEHtOFixdlglsxkMcht1KVYUrTpo3l8fnz5zXt2irkfVwSYlismIvIy\/wo10X9aLcqX75v8PDBQ7gULYobN2+i58+\/akxQYlxdKFdEJbXYMdBWrly9IpubNmmC6R4zZW6JGtxESEZFCVHlwVd+FCiQH+u8vOWLutLzS\/ToQDGXYjh95sxXRvNpJqA\/AiRGxUt+p\/l91p\/lGEsGEyI3t5hnh7y8fT5ZM4Ucx44dR\/ny5WS+hTqQEG3buhmbREhG29n0tDKVKVOmyXflx\/ixY1C2dGn8de9vmWuibXbf9X4yjEmbJo3STev7hImTsG7tapEEngnaCYiIiJA2KNf0Y936CA6+IPJFzhgq8lKUEKcdP3rmKSQkRGNPEcr+\/fuiorg5x4V3py50bb4i+dyyZQu5I3fo8GE45MmDWrVqijXfw9p1Xurun63T0+BLFy+UeajNW7Ygm1gj7VhQOHpNtZ7PGuATTEDPBJQ\/wno2K80ZRIhIVCpVrChzPgcOHNS6bvpLT0JUrWpVzfnrIddB2+EUJt29exdjx\/2J3Xv2as5T5fqNG+JDXUt6Qy9evMCixUsxcdJk2SdS5JkovHkmdueo0C6d+v3gocNyJ2C0+ygpQKlTp5Yf7KHDRuDKlatwHzMWA0VoRjtctNVOSfa4ZZ\/IJ1F4SQ9m0mvMuPH46+5fseYZIuw9F2ujHcOCBTuBwiyae8DAwbHyRnFtq49JqFetWgPy+P4QIRmtlXbqZs+dJwVU3ZfrTMDUCVgkh6+cXr1yudzKLuhcVD4kRU9yhoeHx2JLO1dTp0xCh45dsG\/\/frm9TYlmZYcrVmcdDuhhRktLK5CYxS00P70UIYt7no5pe93GxlqEkg8+uwYSVMpJPXz4SGcB0jYX7Z7RDps6h6StH7cxAVMjoHzltEE8osTAoA\/b1z5w5GFQiJKYQom3zxVyQb\/mhj5+\/PhzwzXtlLBW7\/JpTsSzok0s42mCuzOBZE3AYLtm+r7qD4jZwVJ20vRtn+0xASZgPAJW6e0yuBtv+piZ\/75\/Xz7LE6IlJ6OsjZ63oSeUKeekjyc5Fbv8zgSYgPEIREfHPJybLHJExsPAMzMBJmBMAkqOyGRCM2PC4rmZABMwLAEWIsPyZetMgAnoQICFSAdI3IUJMAHDEmAhMixfts4EmIAOBFiIdIDEXZgAEzAsARYiw\/Jl60yACehAgIVIB0jchQkwAcMSYCEyLF+2zgSYgA4EWIh0gMRdmAATMCwBFiLD8mXrTIAJ6EDAYP\/6\/rZL2ljTN0tRKNYxHzABJsAEjh05JCGwR8S\/C0yACRidAAuR0W8BL4AJMAEWIv4dYAJMwOgEWIiMfgt4AUyACbAQ8e8AE2ACRifAQmT0W8ALYAJMgIWIfweYABMwOgEWIqPfAl4AE2ACLET8O8AEmIDRCbAQGf0W8AKYABNgIeLfASbABIxOwKSFyNLSUnxt9MeXhYWFQYFmzpwJadPG\/jd06gmzZ8+GcmXLqJu4zgSYgA4EDPaPXnWYO9FdfNathrX1x0ugr6KmL2v0Xb8B+\/YfSLR9tQFbGxvMmzMLt2\/dxoDBQ9WnNPXKlSrCzbU1mrV01bRxhQkwga8T+Pgp\/nrfZNnj7LlzOHT4KMgZKlSoEEqVKIE\/fv8Nj588wUXxzbD6Ku\/ev0dQ0E48EXa5MAEmoF8CJi9Et27dwY6duySVoB27UKRIYYwf446ypb+LJURKCKf+umorKytERcV85e3XsH748AGLly77Wjet5782j62tLSIjIzVjv9Zf05ErTMBMCJi8EMW9D2FhD2RTqlSpkMHeHhMnjMPNm6FwKVoET8PD0affQLRo3hQ1v6+BzJky4a9797DBPwB79u5D86ZNULfOj+jTfyBevHgh7VSsUB7dfuqCmbPmomGDergZGoo1a73kuZIlistQ7JtvnPDgwUNQaKguZYQYtm3jirx5HfD48WNs3R6EjQGbQKI2oF8fpE+fHnZ26eGQJw969e4LF5ci+LH2D\/L44aNHOHDgENZv8MebN2\/UZrnOBMyOgEknq+lupEqVEpmEoNCrVMkS+LVnd3mTdu7ag3Tp0iFb1qyoUL6czBstX7EKHTu0g2urlrgvcknrvHykePTu9SuqV62CkOvXQQnp2rVqam50wwb1YSH+u3DxorRF81BxLlQQI4cPRcZMGbFhYwAOHDqELFkya8aRZzZ08EBECXHy9l2P27fvoGP7tmjcqIHsk9fBQYrj1avXMGHSFNja2qBb1y64IUSTjg8eOoxSpUqIHJiVxiZXmIC5EjB5j4g8CHop5a+\/7mHl6jW4FhIiPQtqn++5CIFBO0Ahz+CB\/XHp8mWMdB8rh5CHsmzJQtSvXw8DBg3B7Tt3UKdObfiLdvJkSHC8fHyhDuloYP16deX4wUNH4JHwXqhER0WjdasWsl5PeFa0i7d8xUo8e\/4cR44eQ\/4C+YXI1RJe0WbZ53xwMObO95T1b\/Plk\/2Fu4QXERHw27ARq1avlef4BxMwdwImL0S7du+RokE36u3bSI0oqG+ckmCmrXfaZTt77rzmdOS7d7h46TIKOzvLtv9t2YZff+4ht+HJwyIB2h4YpOmvVGirnhLiighRe1T0x3xTtmxZZdf+IgRTipWllfTglOPHT\/5Rqrh+4wZ81vtJUf2+RnXpqZF4TfOY+UnIpxnEFSZgJgRMXohevIgAeUG6lAjhaZCwFHdxgY+vnxxiI7blCzsXwv2wMHlM2\/4d2rmhdcsWyJEjOw4cPITw8GefmKecUL5vvhHhWBaNGFlafIx0798Pg5OjI\/oPGIxHIj+kS1m7zhv0ypQxI+rVqyNzVpS7OnnqtC7DuQ8TMFkCHz85JnsJui+cdsh27Nwtd9aGDx2Mxg0bYOL4sfIhxcB\/vR7avQoSu3COjnmRIkUKbN6yVesEFOpR6PXnuNFo1aI5mjZpDLc2rTV9t4nENO3UjXYfgSaNG6L2D7Uw02MqypYpremjrhQT4rhssadIiNdH7ty5kFUIHBUK07gwAXMnYNIeka67Sa9fv9bcxxWrYh6C\/L5GNRQVO2kfRDKZcko7RYinlK3bAtGkUUNcuxYid9yUdvX7+eALmD13Ptq3dZMC9OrVK+kZKclsykNNnT4DXTp3RKcO7eVOGe3ePXv2qXdFdsMehCE09Jbo207msh48fIgVK1eDktlcmIC5E7DI7eD0wRAXmdy\/TohyRSlTpsDLl6+kSCSGQfr06cR2f8Rn7djb24kt+Lc6bcNTQt3ezg5P\/vmYP0rM2ngsE0jOBJSvEzJpjygxgClXFBHxPjEmNGOfP4955kjTEKeiLccUp4vmkMJHFiENDq78Rwj8p3JE\/5F7ypfJBEyOAAuRyd0yXjATMD8CLETmd0\/5ipiAyRFgITK5W8YLZgLmR4CFyPzuKV8REzA5AixEJnfLeMFMwPwIsBCZ3z3lK2ICJkeAhcjkbhkvmAmYHwEWIvO7p3xFTMDkCLAQmdwt4wUzAfMjwEJkfveUr4gJmBwBFiKTu2W8YCZgfgQM9q\/vzQ8VXxETYAL6JvD+3Vtpkj0ifZNle0yACcSbAAtRvJHxACbABPRNgIVI30TZHhNgAvEmwEIUb2Q8gAkwAX0TYCHSN1G2xwSYQLwJsBDFGxkPYAJMQN8EWIj0TZTtMQEmEG8CLETxRsYDmAAT0DcBFiJ9E2V7TIAJxJsAC1G8kfEAJsAE9E2AhUjfRNkeE2AC8SZgNkJE35BK30Wv71KlSmUUKlRQmk2dOjXy5nXQ9xTSXs6cOWBvb28Q22yUCSR3AmYhRJ07dcStmyFYtWKZ3nmPcR+J7t1+knanTZ2Mg\/v3IneuXImeJ0uWLPI77slQihQpsH\/vboOsP9ELZQNMIAkImIUQtWvrJlGR95I7d26DYdu9ew98fNYn+iuhGzZsgNMnj4HEiEpkZCTWrF2HLVu3GWztbJgJJGcCJi9EZcqURoEC+bF2nRcsLS3RxrW1wXj7rvdDvwED8fr161hzWFtbxTpWH2g7Zy3CSCofPnzQvI9yH4MFngvlsfqHtvG6nv\/aWLUdrjMBYxIweSFq364t3rx5g3HjJ+DCxYtwbd0SygeQPI4jh\/Zj9crlOHxwH26EXIG31xoULVJEw3ze3NnYsjkAmwP8EXrjGvbsCoLiYWk6\/Vvp0b2btKO0V6pYAQEb\/RBy9TLOnz2FObNmIFfOnHApWhTLly3BxeCz4twVeK1bg1o1v5fDli1djFkzPWQ9aPtW6RmlS5cOK5YvxYD+\/WS7jY0N+vbpjaNHDuLm9WvYvTMQLZo3U6YFrdnP11uu+0bIVaz38UL1atU05zt2aI8dgdvkWLrugQP6I02a1JrzXGECyY2ASQtRhgwZUL9eXWzbHogXL17Ay8sHWbNmRc2aNSXnDBnsZahWpGgRGfqs99sgRcLX1wuUHKbiLBLRxYq54NTp05i\/QHgkIuE94c9xcGvjKs+rf6RNmwaZM2eWTaVKlsSa1SthZ2eHUaPHYNnylWLe79G4cSN5\/kN0NNzHjMOgIUOQRYyZOGG8FMj5CzyxeMlS2WeahwcGDx0uPSyHPLmRI0d22T5s6GD0+aM3QkNvYeo0D0RFRcNj+lQ0a9pEnqc1ly1bBjt37caYseORK3cuTJ82Wdi3liI7dow7gi9cQNduPbBp8xbUqFFNnLORY\/kHE0iOBKyT46J0XVPLFs1ha2uL4OBgFHZ2xrVrIXJoWzdXBAYGacwMGjwUQUE75DG1k\/fRonlzzJo9R7b5bwyA++ixsj5j5iycOnEUlACncO9zpWuXTnj58iVatGiNx0+eyG4UWilhW+eu3WTImMI2BRYtXoIpkyfCxcUFx4+fkF4TDQgM3IEHDx7EmoLEhLw86tfGrZ0857lwkfScunTuhA3+G2XbxoBN8JgxU9ZfvXqFyZMmoHTp70B1uXsowr7w8HDMnTcfEydNjjUHHzCB5EbAZIWIPmxKCDVyxPBYXKtVrRprZyvq\/XvN+f0HDgoPIwqOjnk1be9V5ylxfPjIUdSo\/jHU0XRUVRwdHXH7zh2NCNEpRYRqVK+OqVMmymT0SyEMadOkkSOtRA7ra8VeeFgUmtE6lfL27VscO3ZcekFK27t375Qqzp8PlnUS5aNHj0mBbevmhpYtW8hr3bptO3r9\/oesawZxhQkkIwJf\/2Qko8Wql1KxQnk4OTnizwmT4JSvgObV2rVtTNK6zcekteW\/yWEaX6lSRbltfvv2HTqUhZ5BUgqJQPly5XDnzl2lSet7aGioDIPUgqbYGTpkkAyFipcsDefCLlIEtBmxtPz0uafwZ89AIlNZrFMpJDCUlL9167bS9MX3KVOno0Sp0ihTrqJIgC9Cwwb1RQ6p6hfH8EkmYEwCJitE7UT4Qp6Mr+96+U51eh0+cgQ3b4aidauWsLKMEZgZIr\/Svn1bDBk8ELNmeEjPxU\/ki5TSuFFDea5Txw7YvMkfGTNmwMrVq5XTWt9XrFwl232914FyOt1+6iLCp+OgRHHI9evCq7EGiSXlcpo0aRzLRoQI6ahQ+KdOMlMbXcM6L2+UL19OJry7deuKjRvWy4cdV61eQ12+WEjAKLT8qWsX5P82n\/AMc8r+4eHPvjiOTzIBYxIwydCM8ii0C7Vj565YoZEC0svbB+SVKE9ERwoPY\/SokTLkuXHzJnr8PAx\/3bundEdERITYbWstBej58+eYMnUaVq369EMfEfESFGpROXHyFH75tRdGjRyOnj26y7DniAiL9uzdhyNHjyJ7tmyYM3uW8M4scE81F409IMKuy5ev4OeePeSrcNHi1Kwp4\/+cKNdKObAKQpCiRb5nwsTJ8Pbx1fRRV16+ihE2arslPL2Lly5JcSROd+\/eBdmjZDwXJpBcCZj11wnR80W7dgSiU+euMueSKlUqkNCoC23Xnzl7Dn37DZBC9PRpuOb5HnW\/L9VpJ43EjB4jUJeUKVPKMJESyNoKPV5A+Z+4a1L6UphI\/6yEdgSjxS5cfAo9wpA5cxaEhYXFZxj3ZQJJSkD5OiGT9IgSQoryLuoErzYb\/\/zzVFvzV9seP36stU9cYYrb6dGjR3GbYh3Tep+JnFFCyvv3USxCCQHHY4xCwGRzRLrQihbP3zx9+lRsY3\/+w\/xMeEif81h0mYP7MAEmkHgCZh2aJR4PW2ACTMCQBJTQzKw9IkMCZNtMgAnojwALkf5YsiUmwAQSSICFKIHgeBgTYAL6I8BCpD+WbIkJMIEEEmAhSiA4HsYEmID+CLAQ6Y8lW2ICTCCBBFiIEgiOhzEBJqA\/AixE+mPJlpgAE0ggARaiBILjYUyACeiPAAuR\/liyJSbABBJIgIUogeB4GBNgAvojwEKkP5ZsiQkwgQQSYCFKIDgexgSYgP4IsBDpjyVbYgJMIIEEWIgSCI6HMQEmoD8CLET6Y8mWmAATSCABFqIEguNhTIAJ6I8AC5H+WLIlJsAEEkiAhSiB4HgYE2AC+iPAQqQ\/lmyJCTCBBBJgIUogOB7GBJiA\/giwEOmPJVtiAkwggQTMRoisrKzwzTdOSJsmTQJR8DAmwASMRcDkhSh79uxY5Dkfly6cw749u3BRvAdt34rq1arFmyl9BTQJWlIUS0tL+XXSSTEXz8EEkjsBkxYi8oB2Bm1D7do\/IGDTZvQfMAjTPWYic5bMWLVyGTp36qgz\/4YNG+D0yWMgMUqKMn\/eHCxeuCAppuI5mECyJ2Cd7Ff4hQWOcR+F9OnTo3OXn7Br9x5Nz3Ve3vD1XofBgwZg2\/ZAnb4D3vpfT+jDhw8aO\/GpWFtbgb5vXlvRds7G2hqpUqf6pLuFhQXoFR0d\/ck5bmAC5krAZD2ivHkdUK1aVXj7+MYSIbpRDx8+xPCRo2To07JFM3nvtmwOwLChgzX30cHBAUePHETx4sWwbOlizJrpIc9RWEeeUbp06TBv7mzQuM0B\/gi9cQ17dgWhXVs3jQ0bGxv07dNb2rl5\/Rp27wxEi+Yx81GnkiVLYNWKZQi5ehnB506DvKBy5cpK+7T2EsWLy\/q8ObOQJk1qTJ40AWdOnRD9L2HTxg0gL40LE\/gvEDBZISrm4iLvz+b\/bdF6nw4cOIjnz5+jaNGi8nymzJmkuCids2XNglw5c8JWiMn8BZ5YvGSpPDXNwwODhw7H69ev4VyoIIoVc8Gp00JEFiyEcFUw4c9xcGvjKvuSsPX5ozdCQ29h6jQPREVFw2P6VDRr2kSenzXDAznFHL\/16o3JU6aBxDNTxozS\/qVLl3Hr9m1Znzx1Gn795Re0btUS06Z7oNfvf+DBgweoWKG8slx+ZwJmTcBkQ7OUqWLCGhKMzxUKcXQpx4+fkKJEfQMDd0gRUMb5bwyA++ix8nDGzFk4deKozD35+K5H+3ZtQWPbuLWT5z0XLpIeTpfOnbDBfyMoJHv9OkoK1G4ROq5avUYxC1chOu+j3iMoaIdso75RUVGwsLTAzdBQ\/PxrLxHqvdf05woTMGcCJusRXbhwQd6XqlUqa70\/+fPnlx7QjRs3tZ7XtVEtBpGRkTh85Kj0bOzt7ECh2X7heSnl7du3OHbsOBwd88qmocNGyveFnvNk+EZhXyHhZWkrS5etAImV+8gR2BG4TYRox9HWrY22rtzGBMyOgMkK0bVrIQgWYvTLzz1RqmTJWDeGEtjTp07Gu3fvsGnzZnku8m0klHCOGqxEslhbsRQeibqot\/NJeMqXK4c7d+4i\/Nkzab9ypYqa7ra2tihTpjRu3bot2\/bs3YvaderBuYgLOnbqIgWqe7efNP1pC18pYWFh+Kl7TxQoVBh16jZASMh1DB82RHpVSh9+ZwLmSkD7p9EErpbCmD\/69MOG9T7wEy9vHx+cOXMW9FxR+3ZuyJYtG8aMG48rV67KqwkMCkLPHt0xcsRwBAcHo3+\/PrGuMuLlS3lMW\/6HDx\/F3n375HHjRg3lrtv9+2FwdW2FjBkzgPJI5CnR7lzHDu2xfNkSHDp8GE0bN4a9vT3GjZ8AEqV9e3Zi3\/4D2LJlq\/Ci8iJFihR4+jRc2g0TOaDKlSvJhHTEiwj8UKsmChdxhqfnInk+U6ZMUuwSuIknbfAPJmAqBCxyOzglbL86mVwhCc\/Y0aNQpUoVkDdDAnD16jVMmDhZIya01Jw5c8B91Ej5gScRu3z5CkqUKI4f69THpcuXkTJlSrlT5excSF5Z4aLFxbGffK6IktAkQJT8pjzQ7DnzQNv8qUSeyn3UCLRs0Vx6R9GibfbsuZg3f4HwZKzRr28fIVTtZIj48uUr7Nq1C4OGDENERATIk5o7Z7a0u1+I1fIVKzFi+DA4OTnKrftTp05j4uQpMgclF8Q\/mIAZEnj\/7q28KpMXIuXeUJhjJ\/I2b968kTteSnvcd9qWp1wO5Xu0FXqgkc6T6NB2\/Zmz59C33wApGOTNaHvOiEK21KlT48WLF1qf\/yGbz0QoF3dOCvuyC8\/t0ePHmnNp06aVIhYeHuM5aVsjtzEBcyGgCJHJhmZxbwQ9APj06dO4zZ8ck1h8qTx69Ejr6X\/++bxtykWR0HyufM4meWb3\/v471jDylrgwgf8agY\/Z0v\/aletwvc+EV\/Tq1SsdenIXJsAEEkPAbEKzxEDgsUyACRiHgBKasUdkHP48KxNgAioCLEQqGFxlAkzAOARYiIzDnWdlAkxARYCFSAWDq0yACRiHAAuRcbjzrEyACagIsBCpYHCVCTAB4xBgITIOd56VCTABFQEWIhUMrjIBJmAcAixExuHOszIBJqAiwEKkgsFVJsAEjEOAhcg43HlWJsAEVARYiFQwuMoEmIBxCLAQGYc7z8oEmICKAAuRCgZXmQATMA4BFiLjcOdZmQATUBFgIVLB4CoTYALGIcBCZBzuPCsTYAIqAixEKhhcZQJMwDgEWIiMw51nZQJMQEWAhUgFg6tMgAkYhwALkXG486xMgAmoCLAQqWBwlQkwAeMQYCEyDneelQkwARUBFiIVDK4yASZgHAIsRMbhzrMyASagIsBCpILBVSbABIxDwNrRyck4M\/OsTIAJ\/OcJXL92RTL4PyJnAoiOfyWeAAAAAElFTkSuQmCC\" alt=\"Authentik\" width=\"290\" height=\"170\" \/><\/p><ul><li>Click <strong>Create<\/strong> and select the <strong>OAuth2\/OpenID Provider <\/strong>type. Then move on by clicking <strong>Next<\/strong>.<\/li><li>Fill the provider with the following values:<ul><li>Name: <strong>dsm-oidc<\/strong><\/li><li>Authentication flow: C<strong>hoose your configured<\/strong> or set default <em>(default-authentication-flow)<\/em><\/li><li>Authorization flow: <strong>choose your configured<\/strong> or set <strong>explicit<\/strong> or <strong>implicit<\/strong> consent. (<em>This setting refers to the function used during authorization for this application &#8211; we define whether Authentik should display a button that allows you to go to the application after logging in, or simply redirect you without asking)<\/em>.<\/li><li>Protocol settings<strong>:<\/strong><ul><li>Client type: We leave <strong>Confidential<\/strong><\/li><li>Client ID: <strong>Copy and save for later<\/strong><\/li><li>Client Secret: <strong>Copy and save for later<\/strong><\/li><li>Redirect URIs\/Origins (RegEx)<strong>: https:\/\/dsm.xyz.com\/#\/signin<\/strong><\/li><\/ul><\/li><li>Signing Key: <strong>authentik Self-signed Certificate<\/strong><\/li><\/ul><\/li><li>Leave the other values unchanged and click <strong>Finish<\/strong>.<\/li><li>On the left side of the screen, select<strong>Applications<\/strong>, and then <strong>Applications <\/strong>again.<\/li><li>Kliknij <strong>Create<\/strong> and fill the application with the following values:<ul><li>Name<strong>:<\/strong> <strong>Synology DSM<\/strong><\/li><li>Slug<strong>: synology-dsm<\/strong><\/li><li>Provider<strong>: dsm-oidc<\/strong><\/li><li><strong>UI Settings<\/strong> you may or may not want to complete.<ul><li>Icon<strong>:<\/strong> <strong>download the Synology DSM<\/strong> icon from the Internet and upload it.<\/li><li>Publisher<strong>:<\/strong> <strong>Synology Inc.<\/strong><\/li><li>Description<strong>:<\/strong> <strong>NAS<\/strong><\/li><\/ul><\/li><li>We approve the creation of the application with the <strong>Create <\/strong>button.<\/li><\/ul><\/li><\/ul><p>On the identity provider side, we have already completed the necessary steps. <strong>Now it was time to configure the operating system from Synology.<\/strong><\/p><h2>Step 4 &#8211; Configuration in Synology DSM<\/h2><ul><li><strong>Log in<\/strong> to your Synology with your administrator account,<\/li><li>Go to the <strong>Control Panel<\/strong>, and then select <strong>Domain\/LDAP<\/strong> from the System section,<\/li><li>Go to the <strong>SSO Client<\/strong> tab and set the following parameters described below:<ul><li>Login Settings: <strong>Mark<\/strong> as active <strong>Select SSO as the default option on the login page<\/strong>,<\/li><li>Services: <strong>Mark<\/strong> as active <strong>Enable OpenID Connect SSO service<\/strong>,<\/li><li>Go to <strong>OpenID Connect SSO single sign-on settings<\/strong>, then after opening the OIDC settings window, complete the form with the following parameters:<ul><li>Profile: <strong>OIDC<\/strong><\/li><li>Account type: <strong>Domain\/LDAP\/local<\/strong><\/li><li>Name: <strong>Authentik<\/strong><\/li><li>Well-known URL: <strong>https:\/\/auth.xyz.com\/application\/o\/dsm-oidc\/.well-known\/openid-configuration<\/strong><\/li><li>Application ID: <strong>Paste the Client ID copied earlier from Authentik<\/strong><\/li><li>Application Secret Key: <strong>Paste the previously copied Client Secret from Authentik<\/strong><\/li><li>Redirection URI address: <strong>https:\/\/dsm.xyz.com\/#\/signin<\/strong><\/li><li>Scope of authorization: <strong>email openid profile<\/strong><\/li><li>Username claim: <strong>preferred_username<\/strong><\/li><\/ul><\/li><\/ul><\/li><\/ul><p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-934\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-04-at-15.58.00.png\" alt=\"Synology, OpenID Control Panel\" width=\"772\" height=\"519\" srcset=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-04-at-15.58.00.png 772w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-04-at-15.58.00-300x202.png 300w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-04-at-15.58.00-768x516.png 768w\" sizes=\"(max-width: 772px) 100vw, 772px\" \/><\/p><ul><li style=\"list-style-type: none;\"><ul><li><strong>Save your settings<\/strong> with the button located in the lower right corner on the blue background.<\/li><\/ul><\/li><li>After applying the changes, <strong>log in to DSM again<\/strong>, already using the OpenID Connect protocol single sign-on.<\/li><\/ul><ul><li style=\"list-style-type: none;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-935\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-04-at-16.01.16.png\" alt=\"Synology, Login Screen\" width=\"525\" height=\"576\" srcset=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-04-at-16.01.16.png 525w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/01\/Screenshot-2024-01-04-at-16.01.16-273x300.png 273w\" sizes=\"(max-width: 525px) 100vw, 525px\" \/><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-bfa5f8c e-flex e-con-boxed e-con e-parent\" data-id=\"bfa5f8c\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0f11022 elementor-widget elementor-widget-text-editor\" data-id=\"0f11022\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Creating a user<\/h2><p>Creating a user to use OpenID Connect on the Synology DSM platform requires <strong>manually creating a user account<\/strong> on the NAS. This procedure may be considered somewhat unsatisfactory, given that it is a step in the opposite direction from the idea of facilitating single sign-on technology. As of the date of writing this article, it should be noted that Synology has no plans to expand this form of authentication.<\/p><h2>Using OIDC for other applications from Synology<\/h2><p>Currently, the use of OpenID Connect in the context of single sign-on only includes access to DSM on the Synology device. Unfortunately, it is not possible to use the same credentials from the identity provider to log in to applications like Synology Drive or the local network via SMB protocol. In addition, RADIUS Server also does not support Authentik-based authentication.<\/p><p>To access the aforementioned applications, <strong>it is necessary to use the local user&#8217;s password<\/strong>, which unfortunately conflicts with the idea of single sign-on.<\/p><p>In summary, currently single sign-on using the identity provider system only allows browser-based access to services installed on the Synology DSM platform.<\/p><p>If you have additional questions about the setup, <strong>go ahead and leave a comment under this article<\/strong> or <strong>contact me directly<\/strong>. I will be happy to answer any concerns and help solve any problems. Your questions can help improve this guide for other users.<\/p><h2>Additional sources and information<\/h2><p>For further exploration and more information, I recommend checking out the links below. They are valuable sources that were used in the development of this guide.<\/p><ul><li>SSO client implemented in Synology: <a href=\"https:\/\/kb.synology.com\/pl-pl\/DSM\/help\/DSM\/AdminCenter\/file_directory_service_sso?version=7\" target=\"_blank\" rel=\"noopener\">https:\/\/kb.synology.com\/pl-pl\/DSM\/help\/DSM\/AdminCenter\/file_directory_service_sso?version=7<\/a><\/li><li>Azure AD service implemented at Synology: <a href=\"https:\/\/kb.synology.com\/pl-pl\/DSM\/help\/DSM\/AdminCenter\/file_directory_service_sso_Azure?version=7\" target=\"_blank\" rel=\"noopener\">https:\/\/kb.synology.com\/pl-pl\/DSM\/help\/DSM\/AdminCenter\/file_directory_service_sso_Azure?version=7<\/a><\/li><li>What is OpenId Connect: <a href=\"https:\/\/openid.net\/developers\/how-connect-works\/\" target=\"_blank\" rel=\"noopener\">https:\/\/openid.net\/developers\/how-connect-works\/<\/a><\/li><li>Dev Overview of OpenID Connect: <a href=\"https:\/\/developers.onelogin.com\/openid-connect\" target=\"_blank\" rel=\"noopener\">https:\/\/developers.onelogin.com\/openid-connect<\/a><\/li><\/ul><h2>Read also<\/h2><ul><li><a href=\"https:\/\/chochol.io\/en\/hardware\/tvheadend-satip-decoder-installation-and-configuration\/\">TVHeadend: Installing and configuring a SAT-IP decoder<\/a> \/ Telestar Digibit Twin: Discover in today&#8217;s blog post the step-by-step configuration of a SAT&gt;IP decoder with TVHeadend in Docker Compose.<\/li><li><a href=\"https:\/\/chochol.io\/en\/computer-networking\/how-to-configure-a-leox-gpon-ont-module-on-a-mikrotik-router\/\">How to configure Leox GPON ONT insert on Mikrotik router<\/a> \/ Step-by-step guide on how to configure Leox LXT-010S-H GPON ONT insert on Mikrotik RB5009 router, instead of ONT module from Orange.<\/li><li><a href=\"https:\/\/chochol.io\/en\/computer-networking\/unifi-network-application-remote-adoption-of-an-access-point\/\">UniFi Network Application: Connecting an Access Point from another network<\/a> \/ Discover how to connect a device from Ubiquiti UniFi from another network to Network Application &#8211; using Mikrotik&#8217;s IPSec tunnel as an example.<\/li><li><a href=\"https:\/\/chochol.io\/en\/computer-networking\/unifi-controller-in-docker-migrating-to-unifi-network-application\/\">UniFi Controller in Docker: Migrating to UniFi Network Application<\/a> \/ UniFi Controller: Discover step-by-step how to successfully migrate to Network Application using Docker Compose.<\/li><li><a href=\"https:\/\/chochol.io\/en\/smart-home\/home-assistant-installing-mirror-lighting-on-esphome\/\">Home Assistant: Install mirror lighting on ESPHome<\/a> \/ Set up simple mirror lighting with ESPHome in Home Assistant. Discover simple integration and control light with ease.<\/li><li><a href=\"https:\/\/chochol.io\/en\/hardware\/ads-b-receiver-installation-and-configuration-on-raspberry-pi\/\">ADS-B: Receiver Installation and Configuration on Raspberry Pi<\/a> \/ Discover the secrets of installing and configuring your own ADS-B antenna on Raspberry Pi. Develop skills and track aircraft in real time.<\/li><li><a href=\"https:\/\/chochol.io\/en\/software\/traccar-docker-installation-guide-on-synology\/\">Traccar: A guide to installing on Synology with Docker<\/a> \/ Step-by-step guide: Installing Traccar on Synology using Docker. Effective vehicle tracking on your own server.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Take benefit of single sign-on to Synology DSM. A simple way to manage your server. See how easy it is to control access.<\/p>\n","protected":false},"author":1,"featured_media":1049,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[96],"tags":[100,121],"class_list":["post-1169","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software","tag-authentik","tag-synology"],"_links":{"self":[{"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/posts\/1169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/comments?post=1169"}],"version-history":[{"count":0,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/posts\/1169\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/media\/1049"}],"wp:attachment":[{"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/media?parent=1169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/categories?post=1169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/tags?post=1169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}