SSO for Wasabi Console Access Using SAML2 Integration With Cisco Duo

  • Published on Dec 23, 2025
  • 3 minute(s) read
Prev Next

Wasabi offers Single Sign-On (SSO) for Wasabi enterprise and educational accounts using the Cisco Duo (Identity Provider) system, based on SAML 2.0 (Security Assertion Markup Language) standard.

This article provides configuration instructions for both the IdP administrator and the SSO user to properly configure and complete a Wasabi Console login using your Cisco Duo SSO service. It includes additional details beyond those provided in the Wasabi Management Console Guide for this feature.

Configuring the SAML App in Cisco Duo (IdP Side)

  1. Log in to the Cisco Duo portal (https://admin.duosecurity.com/login?) with Admin credentials.

  2. Select Users in the left menu and click Add User.

  3. Assign the user in the Group name box, for example, Administrators.

  4. Click Add users to group. The Groups pane is displayed.

  5. In the Groups pane, click Add Group.

  6. Navigate to Applications in the left menu. Click Add Application.

  7. In the Application Catalog pane, search for “Generic SAML Service Provider,” then click Add.

  8. Enter a name in the Application name box, for example, SSO-Wasabi.

  9. Select the User access option, as required.

  10. Scroll down to the Metadata section and select SAML Metadata URL and click Download XML. Also, copy the URL for later use in the Wasabi Console.

  11. Scroll down to the Service Provider section and copy the following URLs into the appropriate box:

    • Entity ID—https://sso.wasabisys.com/saml

    • Assertion Consumer Service (ACS) URL—https://sso.wasabisys.com/login/callback

    • Single Logout URL—https://sso.wasabisys.com/logout

  12. Scroll down to the SAML Response section and select the following drop-down options:

    • NameID format—urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    • NameID attribute—<Email Address>

  13. Scroll down to the attributes sections and add the following:

    • IdP Attribute—<User Attribute>

    • SAML Response Attribute—groups

    • Attribute name—groups (must match the SAML Response Attribute). The user you select to access the Wasabi Console must be part of this group.

    • Service Provider Role—Administrators

      NOTE: Make note of the Service Provider role name you created. Do not use spaces in the role name as you will use this name for authentication in the Wasabi Console.

  14. Leave the remaining settings at their defaults. Click Save.

Configuring SAML Settings in Wasabi Console (SP / Client Side)

  1. Sign in to the Wasabi Console (https://console.wasabisys.com/login) using a root account email.

  2. Select Security in the left menu, then choose SSO (Single Sign-On).

  3. Click Start SSO Configuration. The Add an Organization Name dialog is displayed. Enter your organization’s unique name and click Add Organization.

  4. In the SSO (Single Sign On) pane, select SAML from the SSO Connection drop-down, then paste the previously copied SAML Metadata URL into the IDP Metadata URL box. Click Save.

  5. If you previously chose to download the SAML Metadata XML file, select Choose File and select the XML file. Click Save.

  6. In the SSO Single Sign-On tab, select Settings to create an SSO role. This SSO role will be used in the Wasabi Console and assigned to users within your organization’s identity provider, and will be returned to Wasabi in SSO claims. It is used to match a user with a role.

    NOTE: Do not create the role through the Role tab on the left. SSO roles must be created using the SSO tab in the Settings section.

  7. Click Create Role. The Create Role pane is displayed.

  8. Enter the Cisco role name previously created in “Service Provider’s Role” in the Role Attributes section. Click Next.

  9. Assign a Policy to this role to give the user specific access. You can assign multiple policies to the user role. Review Policies in Wasabi Hot Cloud Storage for a description of the default policies available in the Wasabi Console. Refer to Creating and Deleting a Policy to create your own IAM policies. Click Create Role when finished.

  10. You can attach any Wasabi-managed or user-managed policy based on your requirements. This example uses the AdministratorAccess policy.

    You can view the Wasabi role you have created in the SSO tab. For example:

Testing the Integration

  1. Sign in to the Wasabi Console (https://console.wasabisys.com) to test the SSO configuration.

    Screen

  2. Click SIGN IN WITH SSO. There are two methods you can use:

    • An organization’s name

    • Your Wasabi Root account email address

  3. If you select “Sign in With an Organization Name,” enter the name previously created. You will be redirected to the Cisco Duo login page, where you will enter your login information. You will be redirected back to the Wasabi Console, where you can perform functions based on the user’s assigned role.

    In the Wasabi Console, you will see the AdministratorAccess policy created, for example.

    For more information, contact Wasabi Support.