How do I use SSO for Wasabi Management Console access using SAML2 integration with Google?

Wasabi now supports SSO (Single Sign On) functionality for Wasabi accounts using the Google(Identity provider) system based on SAML2 (Security Assertion Markup Language).

This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Google SSO service.  This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.  

NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

Adding the Wasabi account app to Google

1. Login into your account on admin.google.com as an Administrator

2. Select the Apps section in the left menu and in the Web and Mobile Apps menu click on Add custom SAML app

3. Give a display name to this application, we are naming it "Wasabi-SSOv2" In this example, you can choose any name. Then click Continue. 

4. Please note the SSO URL and Download the Certificate.  You will need those details to place in the Wasabi Web Console. Then click Continue.

5. On the Service provider details tab, copy and paste the following to the corresponding entries -

   ACS URL: https://sso.wasabisys.com/login/callback

   Entity ID: https://sso.wasabisys.com/saml

   Start URL: https://console.wasabisys.com

   Check "Signed Response"

   

6. On the SAML attribute mapping tab, click Finish:

7. Now click "Directory" on the left and select "Groups" and then click “Create Groups” 

8. Enter Group Name: We are naming this group as "WasabiAdmin", you can choose any name.

   NOTE: The name of the group must match the name of the Wasabi role in Wasabi Console which we will create in later steps

9. Configure the Access type and Security Settings as per your organization’s requirements. In this example, these values are set as default. Then Select “Create Group”.

10. Add User to Groups: Go to the Directory--> Users section. In the Users list click on the user to open their account page.

11. Select Groups and click on “Add user to groups”. Enter the group name as "WasabiAdmin", and then click on “Add”

Please make sure that you have added all the users to the group you wish to be able to access the Wasabi Console through Google SSO. 

12. Now go back to the Apps--> Web and Mobile apps on the left-hand side. Click on the application we just created for Wasabi SSO and Select SAML Attribute Mapping.

Under the Group membership select the group created for Wasabi SSO and type in “groups” as App attribute.

13. Now go back to the Apps--> Web and Mobile apps on the left-hand side and select your SAML app and click on “User access”.

To turn the service on for everyone in your organization, click On for everyone and then click Save.

Wasabi Console Configuration

14. Now log in as the root email user on the Wasabi Web Console

Click on Settings on the left-hand side and click on SSO (Single Sign On) Tab 

- Click on "Select Configuration" from "No SSO" to "SAML"

- Paste the SSO URL from Step 4. 

- Upload the Certificate from Step 4

Note: If you do not see an SSO (Single Sign On) tab then you are on a Wasabi Trial. This feature is only on paid accounts. 

15. A Wasabi role will need to be created in order for SSO roles to work in the Console.

Click on Create Role in the SSO tab in Settings. 

Note: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings. 

13. A Create Role window will appear. Please enter the Google Group Name you created in Step 8. 

For the Wasabi role name use the same name as the Google Group name created in Step 8 OR Use your same group name if you are using your existing group in that step

14. Now we will assign a Policy for this Role in order to give the user specific access. Hit "Create Role" once finished. 

Note: you can give the user multiple policies if you like for this role.

Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console. 

Note: This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

You should not see the Wasabi Role you have created in the SSO tab in Settings. 

15. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

Click on "SIGN IN WITH SSO"

16. Enter the Wasabi Root user email address. 

17. This should re-direct you to the Google login page of your IdP. Login into the user that has access to the Wasabi Application created in Google Admin Console.

18. Once you have successfully logged in with your company's Google username/password. You will be then redirected back to the Wasabi Console. 4

Note: your view of the Wasabi console may look different due to the IAM policy set under the SSO role you have created. 

For any issues or questions. Please contact via email to support@wasabi.com.