---
title: "SSO Using SAML2 Integration With Google"
slug: "how-do-i-use-sso-for-wasabi-management-console-access-using-saml2-integration-with-google"
updated: 2026-01-07T23:11:25Z
published: 2026-01-07T23:11:25Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO Using SAML2 Integration With Google

Wasabi offers Single Sign On (SSO) functionality for Wasabi accounts using the Google****(identity provider) system, based on SAML2 (Security Assertion Markup Language) integration.

This article provides configuration instructions for both the IdP administrator and the SSO user to properly configure and complete a Wasabi Console login using your organization's Google SSO service.

## **Configuring the SAML App in Google (IdP Side)**

1. Log in to your [Google](https://admin.google.com) (https://admin.google.com) account as Administrator.
2. Navigate to the Apps tab in the navigation menu and **select Web and Mobile Apps.** Click**Add app** and select**Add custom SAML app.**

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-7CVTI7QA.png)
3. In the App details panel, enter a display name for the SAML app, for example, "Wasabi-SSO." Click **Continue**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-H2PXOPJF.png)
4. In the Google Identity Provider details panel, Option 2 section, copy the **SSO URL** and then download the **Certificate**. You will use this information later in the [Wasabi Console](https://console.wasabisys.com/). Click **Continue**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-2IPH4V2T.png)
5. In the Service Provider details panel, copy the following links and paste them into their corresponding fields:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-X59NU983.png)
  - ACS URL: https://sso.wasabisys.com/login/callback
  - Entity ID: https://sso.wasabisys.com/saml
  - Start URL: https://console.wasabisys.com
  - Check "Signed Response"
6. In the Attribute mapping panel, click **Finish**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-Z0G6MWW3.png)
7. Navigate to the Directory tab and select **Groups,** then click**Create group**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-ARBKUCZP.png)
8. In the Group details panel, enter the Group name: "WasabiAdmin."

> The group name must match the Wasabi role name used in the Wasabi Console, which we will create later.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-8CRIZVYL.png)
9. In the Member restriction panel, configure the access type and security settings per your organization’s requirements. In this example, these values are set as the default. Click **Create Group**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-X7Z87NUQ.png)
10. Navigate to the Directory tab and select **Users**. From the Users list, select a user to open their account page.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-7W9V8MPO.png)
11. In the user account, select **Groups** and click **Add user to groups**. Enter the group name as "WasabiAdmin" and then click **Add**.

> You must add all users to the group you want to use to access the Wasabi Console through Google SSO.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-KPVHGQCK.png)
12. Go back to the Apps****tab in the left menu and select **Web and Mobile apps**. Click the application you just created for Wasabi Console SSO, then select **SAML attribute mapping**.
13. In the Group membership section, select the group created for Wasabi SSO and type **groups** in the App attribute field.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-NHZTYJNA.png)
14. Go back to the Apps tab in the left menu again and select **Web and Mobile apps**. Click your **SAML app** and select **User access**. To turn on Service Status for everyone in your organization, click **ON for everyone.** Click **Save**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-7JQ75DLQ.png)

## Configuring SAML Settings for Wasabi Console (SP /Client Side)

1. Sign in to the [Wasabi Console](https://console.wasabisys.com/login) (https://console.wasabisys.com/login) using a Root account email.
2. On the Wasabi menu, click **Settings**,****then select **SSO (Single Sign On)**.
3. In the SSO (Single Sign On) panel, from the Select Configuration drop-down, select **SAML**.
4. In the SAML Connection section, paste the Sign In URL previously copied from the Google Identity Provider details panel into the General box.
5. In the X509 Signing Certificate box, upload the certificate from the Google Identity Provider details panel.
6. Click **Save Connection**.

> If you do not see the SSO (Single Sign On) panel, then you are using a Wasabi trial account. This feature is only for paid accounts.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-K64FDJ0Z.png)
7. For SSO roles to work in the Wasabi Console, you must create a role. Click **Create Role** in the SSO (Single Sign On) section in Settings.

> Do not create the role through the Roles tab in the left menu. SSO roles must be created in Settings under SSO (Single Sign-On).

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-WMOAHDMG.png)
8. The Create Role dialog is displayed. Enter the group name: "WasabiAdmin" previously created. Click **Next**.

For the Wasabi Console role name, use the same name as the Google Group name previously created, or use the same group name used in your existing group.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-48X5DYSB.png)
9. In the Assign Role Policies panel, select one or more policies for this new role to provide user-specific access. Click **Create Role**.

For more information on default policies or creating your own IAM policies for the Wasabi Console, see [Policies in Wasabi Hot Cloud Storage](https://docs.wasabi.com/docs/policies-1).

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-O1JSV0C0.png)

This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

You should not see the Wasabi role you created in the SSO panel within Settings.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-BVYZSCDE.png)

## Testing the Integration

1. Sign in to the [Wasabi Console](https://console.wasabisys.com) (https://console.wasabisys.com) to test the SSO configuration.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-2563513U.png)
2. Enter your **Root user email address**for the Wasabi Console. Click **Continue**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-XT973S8A.png)
3. You are redirected to your Google sign-in page. Sign in as the user who has access to the Wasabi Console application created in the Google Admin Console.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-GMZXH69J.png)

Once you have successfully signed in with your company's Google username/password, you are then redirected to the Wasabi Console.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-KX4F2A33.png)

Your view of the Wasabi Console may differ depending on the IAM policy set for the SSO role you created.