How do I use SSO for Wasabi Console Access Using CyberArk

Wasabi supports the SSO (Single Sign On) functionality for enterprise and educational accounts using CyberArk based on SAML2 (Security Assertion Markup Language).

Below are instructions for the administrator and SSO user to properly configure and complete a Wasabi login using your organization's CyberArk IdP. This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.

1. Log into your CyberArk Admin Portal.
2. In the Apps & Widgets drop-down, select Web Apps. Click Add Web Apps to create a new web app.

   

3. Select the Custom tab. Click Add to select SAML.

   

4. Optionally, add the SAML Web App to the target organization that will be logging into the Wasabi Console through SSO. This will depend on your CyberArk configuration.

   If you do not add an Organization, you will need to manually add the users and groups to the Web App under the Permissions tab in the CyberArk Web App.

   

5. Provide a Name for the SAML application.
6. For the Wasabi logo, download the following image.

   

7. When finished, click Save.

   

8. In the SAML Web App, select the Trust tab. Click Download the Metadata File to upload to your Wasabi account.
   You can copy the IdP Entity ID/Issuer URL, Single Sign On URL, and download the Signing Certificate to paste them manually into the Wasabi Console. The Metadata File will contain all the necessary URLs.

   

9. Log into the Wasabi Console as the Root user.
10. Click Settings on the left side and scroll down to the SSO (Single Sign On) tab. Once expanded, click Start SSO Configuration.

    

11. A pop-up will appear to Add an Organization Name. Enter a Name (the Organization Name does have to be unique). Click Add Organization.

    

12. In the SSO Connection drop-down, select SAML. Click Save.

    

13. Upload the Metadata File that was downloaded from the CyberArk application in Step 8. On the same tab, download the Wasabi Metadata File to upload to your CyberArk Web App. This will include all the necessary URLs and the Certificate needed for CyberArk to point to the Wasabi SSO URLs.

    

14. In the CyberArk Web App, select the Trust tab. Under Service Provider Configuration, upload the Wasabi Metadata to the CyberArk Web App.
15. Click Choose File and select “WasabiServiceProviderMetadata.xml” that was downloaded from the Wasabi Console in Step 13.

    

16. Select the SAML Response tab on the left pane. Click Add.
17. Add the following attributes.
    • Attribute Name: “groups” with the attribute value as “LoginUser.RoleNames”
    • Attribute Name: “email” with the attribute value as “LoginUser.Email”
18. Click Save.

    

19. Select the Roles tab. Click Add Role.

    

20. Provide a Name for the role and make note of the role name. Add the Organization (if necessary) with the SAML Web Application. Click Save.
    Do not put any spaces in the role name because we will need to create the same role name within the Wasabi Console for authentication.

    

21. Add any members and groups to the newly created role that will have access to the Wasabi Console through SSO.

    

22. Click Add and Save the role settings.

    A Wasabi role will need to be created to match the attached role from CyberArk. The Wasabi role will have an IAM policy for the necessary permissions within the Wasabi Console. They must be assigned to users within your organization's Identity Provider and be returned to Wasabi. Without this, we will be unable to match a user with a role.

23. Under the SSO tab in the Wasabi Console, click Create Role.
    CAUTION: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab under Settings.

    

24. For the role name, use the same role name created in Step 22.

    

25. On the next screen, assign a policy to this role to give the user specific permissions. Once finished, click Create Role.

    For more information on the default policies available in the Wasabi Console, review Policies in Wasabi Hot Cloud Storage. Optionally, create your own IAM policies from the Policy tab on the Console.

    

    This example uses the “AdministratorAccess” policy. You may attach any Wasabi-managed policy or user-managed policy based on your requirements.

    You should now see the Wasabi role you have created in the SSO tab under Settings. You can create multiple roles with different IAM policies, if needed. Be sure to also create those additional roles in CyberArk.

    

26. Test the Wasabi SSO at https://console.wasabisys.com.
27. Click Sign in with SSO.

    

28. Select either Sign In With Organization Name or Sign In With Root Account Email.

    

29. Enter either the Organization Name (created in Step 11) or the Root account email address.

    

    You will be redirected to the CyberArk login page. Complete the login.

    

    Once authenticated, you will be redirected to the Wasabi Console where you can perform the necessary functions based on the role assigned to the user.

    

    For any issues or questions, contact support@wasabi.com.