How do I use SSO for Wasabi Management Console access using SAML2 integration with JumpCloud?

Wasabi now supports SSO (Single Sign On) functionality for Wasabi accounts using the JumpCloud (Identity provider) system based on SAML2 (Security Assertion Markup Language).

This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's JumpCloud SSO service. This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.  

NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

JumpCloud Account Creation - Adding the Wasabi account app to JumpCloud

1. Login into your account on jumpcloud.com as an Administrator

2. Select SSO from left menu and in the SSO menu click on Add New Application

3. Click on "Custom SAML App" at the bottom

4. Give a display name to this application, we are naming it "Wasabi-SSOv2" in this example, you can choose any name. Then click SSO on the top tab. 

5. On the SSO tab fill in the following:

IdP Entity ID: Wasabi

Note: This is the unique, case-sensitive identifier used by JumpCloud for this service provider. Please ensure that the value you enter matches the Identity Provider Entity ID you configured on Wasabi's SSO configuration page.

SP Entity ID: https://sso.wasabisys.com/saml

ACS URL: https://sso.wasabisys.com/login/callback

6. Scroll down and fill in and check off the following:

- Scroll down and check "Sign Assertion" 

- Enter the Login URL: https://console.wasabisys.com

- Click add attribute and fill in the Service Provider Attribute Name as "email" and JumpCloud Attribute Name select email

- Check the Include group attribute and type in "groups"

Click activate once finished. 

Note: Our goal is to do the SSO role mapping based on the group names that we are going to create in further steps

Hit Continue and a new Wasabi SSO connector will be created for you

7. Now based on your personal/company use case, start creating Users, Groups etc and decide on how you would like to have mappings

Note: These settings will depend on your organization's requirement(s). We are demonstrating with an example of one User below

8. Select User Groups from left menu and click on green "+" sign to add a new group

Enter Group Name: We are naming this group as "WasabiAdmin", you can choose any name.

NOTE: The name of the group must match the name of the Wasabi role in Wasabi Console which we will create in later steps

Check the Users that you would like to put in this group in the Users tab.

Check the Application we just created for Wasabi SSO. Once you are done with the group configuration, click on "save" to save the group settings

9. We will need to download the IDP Certificate. To do so click on SSO click the application we created in Step 4. Click on IDP Certificate Valid and Download certificate it will download a .pem file.

10. On the SSO tab of the application scroll down and copy the IDP URL

Wasabi Console Configuration

11. Now log in as the root email user on the Wasabi Web Console

Click on Settings on the left-hand side and click on SSO (Single Sign On) Tab 

- Click on "Select Configuration" from "No SSO" to "SAML"

- Paste the Sign in URL from Step 10. 

- Upload the X509 Signing Certificate from Step 9

Note: If you do not see an SSO (Single Sign On) tab then you are on a Wasabi Trial. This feature is only on paid accounts. 

12. A Wasabi role will need to be created in order for SSO roles to work in the Console. They must be assigned to users within your organization's Identity Provider, and be returned to Wasabi in SSO claims. Without this, we will be unable to match a user with a role.

Click on Create Role in the SSO tab in Settings. 

Note: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings. 

13. A Create Role window will appear. Please enter the JumpCloud Group Name you created in Step 8. 

For the Wasabi role name use the same name as the JumpCloud Group name created in Step 8 OR Use your same group name if you are using your existing group in that step

14. Now we will assign a Policy for this Role in order to give the user specific access. Hit "Create Role" once finished. 

Note: you can give the user multiple policies if you like for this role.

Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console. 

Note: This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

You should not see the Wasabi Role you have created in the SSO tab in Settings. 

15. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

Click on "SIGN IN WITH SSO"

16. Enter the Wasabi Root user email address.

17. This should re-direct you to the JumpCloud login page of your IdP. Login into the user that has access to the Wasabi Application created in JumpCloud.

18. Once you have successfully logged in with your company's JumpCloud username/password. You will be then redirected back to the Wasabi Console. 

Note: your view of the Wasabi console may look different due to the IAM policy set under the SSO role you have created. 

For any issues or questions. Please contact via email to support@wasabi.com