Wasabi supports SSO (Single Sign On) functionality for enterprise and educational accounts using Microsoft Entra ID (formerly Azure Active Directory) based on SAML2 (Security Assertion Markup Language).
Configuration instructions are provided for the administrator and SSO user to properly configure and complete a Wasabi login using your organization's Microsoft Entra ID IdP. This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.
NOTE: To configure Wasabi SSO, you must have a paid account and log in as the Root with your Wasabi email address.
Below are the steps you will need to follow to accomplish SSO Logins using Microsoft Entra ID.
Log in to the Azure Portal: https://portal.azure.com.
Navigate to the Microsoft Entra ID.
Create a new Enterprise application.
Navigate to Enterprise applications, then click New application.
Click Create your own application. The “Create Your Own Application” dialog box is displayed.
Enter the name of your application in the field provided. Leave the preset defaults set. Click Create.
In the Enterprise Application, select SSO-Wasabi, then select the Single sign-on tab and click the SAML tile.
On the Basic SAML Configuration page, copy and paste the following URLs into the corresponding fields:
Audience URL (SP Entity ID) / Identifier (Entity ID) — https://sso.wasabisys.com/saml
Single Sign-On URL / Reply URL — https://sso.wasabisys.com/login/callback
On the Manage page, download the Certificate (Base64) and copy the Login URL. The Logout URL is optional. You will use the URLs later in the Wasabi Console. If you download the Federation Metadata XML, you do not need the Login/Logout URL.
Create a role in the Azure application. To do so, return to the Microsoft Entra ID, then click App registrations and select the Enterprise application SSO-Wasabi that you previously created.
To create a new app role within this application, click Create app role and enter a role name in the Display Name field. Make note of the role name you created.
NOTE: Do not use any spaces in the role name because you will use the same role name in the Wasabi Console for authentication.In the Value field, enter the same name as the display name and the role name you will use in the Wasabi Console, then select Both Users/Groups + Applications.
Enter a Description, then select the check box to enable the app role.
In the SSO-Wasabi application, navigate to Users and groups, click Add user/group, and add users or groups to assign the role created for the Wasabi Console.
Go to the Single Sign-On tab and select Edit in the Attributes and Claims section. The Manage Claim section is displayed.
In the Manage Claim section, enter the following:
Groups: The group names
User type: Any (or another value that will match your use case)
Scoped Groups: Select the groups in Azure AD that you want to add. Be sure to add the Wasabi Console users to the selected group.
Source: Attribute
Value: user.assignedroles
When you have entered all the information, click Save.
Now sign in to the Wasabi Web Console using the Root email.
Select Settings on the left-hand side, and click the SSO (Single Sign-On) tab.
NOTE: If you do not see the SSO (Single Sign On) tab, then you have a Wasabi Trial account. This feature is only available for paid accounts.Click Select Configuration SSO. In the Add an Organization Name dialog, enter your organization’s unique name.
If you previously downloaded the Federation Metadata XML, click Choose File in the SAML Connection for IDP Metadata XML section and select the "<Azure EnterpriseAppName.xml" file you previously downloaded. Click Save.
NOTE: If you previously downloaded the Certificate (Base64), you can manually enter the Azure Login URL.
If you previously downloaded the Certificate (Base64), you can manually enter the Azure Login URL using the following steps:
Select the Enter details manually radio button.
Paste the Sign in URL, previously copied.
Upload the X509 Signing Certificate .cer file.
Paste the Sign Out URL (optional).
Click Save.
A Wasabi role is required for SSO roles to work in the Wasabi Console. Roles must be assigned to users within your organization's Identity Provider and returned to Wasabi in SSO claims to match a user with a role. In the SSO Single Sign-On tab, select Settings and then click Create Role.
NOTE: Do not create the role through the Role tab on the left. SSO roles must be created using the SSO tab in the Settings section.
In the Create Role dialog, enter the Azure role name you previously created and click Next.
NOTE: The Wasabi Console role name used must match the Azure role name.
In the Assign Role Policies dialog, select one or more roles for user-specific access.
For more information on default policies available in the Wasabi Console, or to create IAM policies through the Policy tab, see What are the default policies available in the Wasabi Console?Click Create Role.
NOTE: This example uses the WasabiAdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.
The Wasabi role is now available from the SSO (Single Sign-On) tab in the Settings section.
To test the Wasabi Console SSO, sign in to https://console.wasabisys.com and click SIGN IN WITH SSO.
Click SIGN IN WITH SSO. There are two methods you can use:
The organization’s name previously provided
The Wasabi Root account email address
You are now redirected to the Azure AD login page.
Complete the Azure AD login. Once you are authenticated, you'll be redirected to the Wasabi Console, where you can perform the required functions based on your assigned role, such as creating a bucket.
For any issues or questions, contact support@wasabi.com.