Contents x
      How do I use SSO for Wasabi Console access using Shibboleth and SAML2
      • 18 Dec 2023
      • 2 Minutes to read
      • Print
      • PDF
      Contents

      How do I use SSO for Wasabi Console access using Shibboleth and SAML2

      • Updated on 18 Dec 2023
      • 2 Minutes to read
      • Print
      • PDF
      Article summary

      Wasabi supports SSO (Single Sign On) functionality for enterprise/educational accounts using the Shibboleth IdP (Identity provider) based on SAML2 (Security Assertion Markup Language).

      This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Shibboleth SSO service.  This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.

      NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

      Before setting up Shibboleth IdP with the Wasabi Console, you will need the following to input into the Wasabi console.

      - Shibbeloth Sign on URL

      - Shibboleth x509 Signing Certificate

      1a. Log into the Wasabi console using the root account email address. 

      Point a web browser to https://console.wasabisys.com 

      Screen Shot 2023-08-07 at 12.50.05 PM.png

      1b. Once logged in as the root Wasabi email address. Navigate to Settings on the left menu. 

      Scroll down the settings to SSO (Single Sign On) 

      Configure the connection type to SAML

      Input the Sign on URL from your Shibboleth Set Up

      Upload the x509 Singing Certificate to the Wasabi console.

      Screen Shot 2023-06-14 at 3.29.02 PM.png

      Hit Save connection once set. 

      1c. Please note down the Callback URL and Audience URL from the same SSO settings tab for the Shibboleth application.

      2a. Create a Wasabi Role

      Scrolling down you will see a Create Role button
      blobid37.png2b. A create role popup will appear. Please enter a role name. 

      Note this role name, you will need to add this to the Attribute Value in Step 3.
      Screen Shot 2023-06-14 at 4.43.14 PM.png

      The user-assigned role in Shibboleth will be assigned to the same Wasabi role.

      Now we will assign a Policy for this Role in order to give the user specific access.
      Hit "Create Role" once finished. 

      Note: you can give the user multiple policies if you like for this role.

      Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console.

      blobid38.png

      Note:  This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

      You should now see the Wasabi Role you have created in the SSO tab in Settings.

      Screen

      3. Shibboleth Administrator Configuration for Wasabi Console

      The attributes used in the SAML assertion are shown below:

      Please direct the attribute name to: http://schemas.auth0.com/https://sso.wasabisys.com/groups
      The Attribute Value is the Wasabi role name you created in Step 2b.

      Below is an example of the SAML Group assertion. 
      NOTE: Change the Attribute Value to the role name you wish to use. The role name needs to be the exact same value in the Wasabi role as well. (No spaces)

      saml:Attribute Name="http://schemas.auth0.com/https://sso.wasabisys.com/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
CHANGE_ME_FOR_WASABI_ROLE_NAME

      Below is an example of the SAML Email assertion. Needed as well. This email will show on the audit logs and User ID on the console. 

      NOTE: Change the Attribute Value to the email address of the user logging through the IdP. 

      
   http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">EMAILADDRESS


      Input the following URLs into the Shibboleth setting to point back to the Wasabi SSO:
      Wasabi SSO Callback URL      : https://sso.wasabisys.com/login/callback

      Audience URL: https://sso.wasabisys.com/login/callback

      4. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

      Click on "SIGN IN WITH SSO"

      Screen

      5. Enter the Wasabi Root user email address. 

      Screen

       

      6. This should re-direct you to the Shibbeloth login page of your IdP. Enter the username/password of your company's SSO. 

      7. Once you have successfully logged in with your company's IdP username/password. You will be then redirected back to the Wasabi Console. 

      Screen

      Note: your view of the Wasabi console may look different due to the IAM policy set under the SSO role you have created. 

      For any issues or questions. Please contact via email to support@wasabi.com

      What's Next
      Copyright © 2024 by Wasabi Technologies LLC
      75 Arlington Street, Suite 810, Boston, MA 02116 USA
      All Rights Reserved
      Visit us at https://wasabi.com.
      WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

      Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.