How do I use SSO for Wasabi Management Console access using SAML2 integration with JumpCloud?
    • 18 Dec 2023
    • 4 Minutes to read
    • PDF

    How do I use SSO for Wasabi Management Console access using SAML2 integration with JumpCloud?

    • PDF

    Article summary

    Wasabi now supports SSO (Single Sign On) functionality for Wasabi accounts using the JumpCloud (Identity provider) system based on SAML2 (Security Assertion Markup Language).

    This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's JumpCloud SSO service. This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.  

    NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

    JumpCloud Account Creation - Adding the Wasabi account app to JumpCloud

    1. Login into your account on jumpcloud.com as an Administrator

    2. Select SSO from left menu and in the SSO menu click on Add New Application

    Screen
    1. Click on "Custom SAML App" at the bottom

    Screen
    1. Give a display name to this application, we are naming it "Wasabi-SSOv2" in this example, you can choose any name. Then click SSO on the top tab. 

    Screen
    1. On the SSO tab fill in the following:

    IdP Entity ID: Wasabi

    Note: This is the unique, case-sensitive identifier used by JumpCloud for this service provider. Please ensure that the value you enter matches the Identity Provider Entity ID you configured on Wasabi's SSO configuration page.

    SP Entity ID: https://sso.wasabisys.com/saml

    ACS URL: https://sso.wasabisys.com/login/callback

    Screen
    1. Scroll down and fill in and check off the following:

    - Scroll down and check "Sign Assertion

    - Enter the Login URL: https://console.wasabisys.com

    - Click add attribute and fill in the Service Provider Attribute Name as "email" and JumpCloud Attribute Name select email

    - Check the Include group attribute and type in "groups"

    Screen

    Click activate once finished. 

    Note: Our goal is to do the SSO role mapping based on the group names that we are going to create in further steps

    Hit Continue and a new Wasabi SSO connector will be created for you

    Screen
    1. Now based on your personal/company use case, start creating Users, Groups etc and decide on how you would like to have mappings

    Note: These settings will depend on your organization's requirement(s). We are demonstrating with an example of one User below

    1. Select User Groups from left menu and click on green "+" sign to add a new group

    Screen

    Enter Group Name: We are naming this group as "WasabiAdmin", you can choose any name.

    NOTE: The name of the group must match the name of the Wasabi role in Wasabi Console which we will create in later steps

    Screen

    Check the Users that you would like to put in this group in the Users tab.

    Screen

    Check the Application we just created for Wasabi SSO. Once you are done with the group configuration, click on "save" to save the group settings

    Screen
    1. We will need to download the IDP Certificate. To do so click on SSO click the application we created in Step 4. Click on IDP Certificate Valid and Download certificate it will download a .pem file. Screen

    2. On the SSO tab of the application scroll down and copy the IDP URL

    Screen

    Wasabi Console Configuration

    1. Now log in as the root email user on the Wasabi Web Console

    Click on Settings on the left-hand side and click on SSO (Single Sign On) Tab 

    - Click on "Select Configuration" from "No SSO" to "SAML"

    - Paste the Sign in URL from Step 10. 

    - Upload the X509 Signing Certificate from Step 9

    Note: If you do not see an SSO (Single Sign On) tab then you are on a Wasabi Trial. This feature is only on paid accounts. 

    Screen
    1. A Wasabi role will need to be created in order for SSO roles to work in the Console. They must be assigned to users within your organization's Identity Provider, and be returned to Wasabi in SSO claims. Without this, we will be unable to match a user with a role.

    Click on Create Role in the SSO tab in Settings. 

    Note: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings. 

    Screen
    1. A Create Role window will appear. Please enter the JumpCloud Group Name you created in Step 8. 

    For the Wasabi role name use the same name as the JumpCloud Group name created in Step 8 OR Use your same group name if you are using your existing group in that step

    Screen

     

    1. Now we will assign a Policy for this Role in order to give the user specific access. Hit "Create Role" once finished. 

    Note: you can give the user multiple policies if you like for this role.

    Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console. 

    Screen

     

    Note: This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

    You should not see the Wasabi Role you have created in the SSO tab in Settings. 

    Screen
    1. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

    Click on "SIGN IN WITH SSO"

    Screen
    1. Enter the Wasabi Root user email address.

    Screen
    1. This should re-direct you to the JumpCloud login page of your IdP. Login into the user that has access to the Wasabi Application created in JumpCloud.

    Screen
    1. Once you have successfully logged in with your company's JumpCloud username/password. You will be then redirected back to the Wasabi Console. 

    Screen

    Note: your view of the Wasabi console may look different due to the IAM policy set under the SSO role you have created. 

    For any issues or questions. Please contact via email to support@wasabi.com


    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence