SSO for Wasabi Console Access Using CyberArk

  • Updated on Nov 13, 2025
  • Published on Aug 1, 2024
  • 4 minute(s) read
Prev Next

Wasabi supports the SSO (Single Sign On) functionality for enterprise and educational accounts using CyberArk based on SAML2 (Security Assertion Markup Language).

Below are instructions for administrators and SSO users to properly configure and complete a Wasabi login using your organization's CyberArk IdP. This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.

To configure Wasabi SSO, you must have a paid account and log in as the Root user with your Wasabi email address.
  1. Log in to your CyberArk Admin Portal.
  2. In the Apps & Widgets drop-down, select Web Apps. Click Add Web Apps to create a new web application.

  3. Select the Custom tab. Click Add to select SAML.

  4. Optionally, add the SAML web application to the target organization that will log in to the Wasabi Console through SSO. This will depend on your CyberArk configuration. Click Yes. The SAML page is displayed.

    NOTE: If you do not add a target organization, you must manually add the users and groups to the web applications under the Permissions tab in the CyberArk web application.

  5. On the SAML page, in the Settings tab Name field, provide a name for the SAML application.
  6. In the Logo field, browse to and select the Wasabi logo to download.

  7. Click Save.

  8. In the Trust tab Metadata section, click Download Metadata File to your Wasabi account. Click Save
    You can copy the IdP Entity ID/Issuer URL, Single Sign On URL, and download the Signing Certificate to paste them manually into the Wasabi Console. The Metadata File will contain all the necessary URLs.

  9. Log in to the Wasabi Console as the Root user.
  10. Click Settings on the left side and scroll down to the SSO (Single Sign On) tab. Once expanded, click Start SSO Configuration

  11.  A pop-up will appear to Add an Organization Name. Enter a unique name and then click Add Organization.
  12. In the SSO Connection drop-down, select SAML. Click Save.

  13. In the SAML Connection section, upload the metadata file that was downloaded from the CyberArk application in Step 8. On the same tab, select Download Wasabi Metadata to your CyberArk web application. This will include all the necessary URLs and the certificate needed for CyberArk to point to the Wasabi SSO URLs. Click Save

  14. In the CyberArk web application, select the Trust tab.
  15. In the Service Provider Configuration section, click Choose Filand select the file “WasabiServiceProviderMetadata.xml” downloaded from the Wasabi Console in Step 13.

  16. Select the SAML Response tab on the left pane.
  17. In the Attributes section, click Addto add the following attributes.
    • Attribute Name: “groups” with the attribute value as “LoginUser.RoleNames”
    • Attribute Name: “email” with the attribute value as “LoginUser.Email”
  18. Click Save.

  19. In the CyberArk web application, select the Roles tab. Click Add Role.

  20. In the Add Role dialog, provide a Name for the role and make note of the role name, then add the Organization (if necessary) with the SAML web application and select the Role type. Click Save.
    Do not put any spaces in the role name because you will create the same role name in the Wasabi Console for authentication.

  21. Add members and groups to the newly created role that will have access to the Wasabi Console through SSO.

  22. Click Add and Save the role settings.

    A Wasabi role will need to be created to match the attached role from CyberArk. The Wasabi role will have an IAM policy for the necessary permissions within the Wasabi Console. They must be assigned to users within your organization's Identity Provider and be returned to Wasabi. Without this, we will be unable to match a user with a role.

  23. In the SSO tab in the Wasabi Console, click Create Roleat the bottom of the page.
    Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab under Settings.

  24. In the Create Role dialog, enter a name, and use the same role name created in Step 22.

  25. In the Assign Role Policies dialog, assign a policy to this role to give the user specific permissions. Once finished, click Create Role.

    For more information on the default policies available in the Wasabi Console, review Policies in Wasabi Hot Cloud Storage. Optionally, create your own IAM policies from the Policy tab on the Console.

    This example uses the “AdministratorAccess” policy. You may attach any Wasabi-managed policy or user-managed policy based on your requirements.

    You should now see the Wasabi role you have created in the SSO tab under Roles. You can create multiple roles with different IAM policies, if needed. Be sure to also create those additional roles in CyberArk.

  26. Test the Wasabi SSO at https://console.wasabisys.com.
  27. Click Sign in with SSO.

  28. Select either Sign In With Organization Name or Sign In With Root Account Email.

  29. Enter either the Organization Name (created in Step 11) or the Root account email address.

    You will be redirected to the CyberArk sign in page. 

  30. Complete the sign in.
    Once authenticated, you will be redirected to the Wasabi Console, where you can perform the necessary functions based on the role assigned to the user.
    For any issues or questions, contact support@wasabi.com.