---
title: "SSO for WACM Console Access Using SAML2 Integration With Cisco Duo"
slug: "sso-for-wasabi-console-access-using-saml2-integration-with-cisco-duo"
updated: 2026-01-29T20:13:16Z
published: 2026-01-29T20:13:16Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO for WACM Console Access Using SAML2 Integration With Cisco Duo

Wasabi supports Single Sign-On (SSO) for enterprise and educational accounts using Cisco Duo as the Identity Provider (IdP), based on the SAML 2.0 (Security Assertion Markup Language) standard.

This knowledge base article provides configuration guidance for administrators and end users to set up and complete SSO login to the Wasabi Account Control Manager (WACM) using your organization’s Cisco Duo environment.

## Configuring the SAML App in Cisco Duo (IdP Side)

1. Log in to the [Cisco Duo portal](https://admin.duosecurity.com/login?) (https://admin.duosecurity.com/login?) with Admin credentials.
2. Select **Users** in the left menu and click **Add User**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-BEVA2BHL.png)
3. Assign the user to the Group name box, for example, “admin.” Then click **Add users to group**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-R6XZLNN1.png)
4. The Groups pane is displayed with the new group name “admin.” Click **Add group**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-S8BRV5R5.png)
5. Navigate to Applications in the left menu. In the Applications pane, click **Add application**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-ZHP6CWVK.png)
6. In the Application Catalog pane, search for “Generic SAML Service Provider,” then click **Add**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-3NHPITDW.png)
7. In the Basic Configuration section, enter a name in the **Application name** box, for example, SSO-Wasabi.
8. Select the **User access**option, as required.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-ME61ATE5.png)
9. Scroll down to the Metadata section, copy the **Single Sign-On URL**, then click **Download certificate**. You will need this information for later use in the Wasabi Console.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-9TKU7OL9.png)
10. Scroll down to the Service Provider section and copy the following URLs into the appropriate box:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-D1FV64EE.png)
  - Entity ID—https://wasabi-iam-prod-1.us.auth0.com/api/v2/
  - Assertion Consumer Service (ACS) URL—https://wasabi-iam-prod-1.us.auth0.com/login/callback
11. Scroll down to the SAML Response section and select the following drop-down options:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1HE98DP3.png)
  - NameID format—urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  - NameID attribute—<Email Address>
12. Scroll down to enter the following attributes.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1ZOMIYIF.png)
  - Map attributes:
    - Email Address—email
    - First Name—firstName
    - Last Name—lastName
  - Role attributes:
    - Attribute name—groups (must match the SAML Response Attribute). The value assigned to this attribute in Cisco Duo must match the user role defined in WACM. This mapping ensures proper role assignment and access control during SSO authentication.
    - Service Provider’s Role—select your WACM user role.
    - Duo groups—select the group your user belongs to (in the admin group). Select the groups to add to Cisco Duo. Make sure the user you add to access WACM is in the selected group.
13. Leave the remaining settings at their defaults. Click **Save**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-LUFBCI9J.png)

## Configuring SAML Settings in WACM Console (SP / Client Side)

1. Sign in to the [WACM Console](https://wacm.wasabisys.com/en/wasabi/auth/login) (https://wacm.wasabisys.com), where you will configure SSO.
2. In the upper right corner, select your displayed name and click **My Profile**. The Profile page is displayed.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-R51RJ9EY.png)
3. Click the **Account** tab. The Account page is displayed.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-OGO8BU76.png)
4. Scroll down to the SSO (Single-Sign-On) section and click **Start SSO Configuration**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-S0O1F8RT.png)
5. In the Add an Organization Name box, enter the name of your new organization. This is a unique identifier you will use to sign in to SSO, for example, “wacm-duo-2.” Click **Add Organization**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-NZW89CQF.png)
6. In the Select configuration type to start configuration section, select **SAML** from the drop-down.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-9KVTIXZT.png)
7. Using the downloaded certificate and the Single-Sign-On URL copied from the Cisco Duo Applications section, click **Browse File**and select the X.509 Signing Certificate, then paste the **Sign-On URL** into the provided box. WACM SSO will match the WACM role names to the Cisco Duo Service Provider’s role in the “groups” name attribute.
8. Click**Save Connection**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-PTYI19ZT.png)
9. Sign in to the [WACM Console](https://wacm.wasabisys.com/en/wasabi/auth/login) (https://wacm.wasabisys.com) and click **Sign In with SSO**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-JN9UAW3N.png)
10. Enter the previously created organization name, for example, “wacm-duo-2.” Click **Continue**. You will be redirected to the Cisco Duo login page.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-O4C8COO1.png)
11. Log in to the [Cisco Duo portal](https://admin.duosecurity.com/login?) (https://admin.duosecurity.com/login?) with Admin credentials. Once your login is authenticated, you will be redirected to the WACM Console with access to the role mapped to your group in Cisco Duo.