---
title: "SSO for WACM Console Using SAML2 With Azure Active Directory (AD)"
slug: "wacm-sso-with-azure-ad"
updated: 2026-01-30T18:17:06Z
published: 2026-01-30T18:17:06Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO for WACM Console Using SAML2 With Azure Active Directory (AD)

Wasabi Account Control Manager (WACM) supports SSO (Single Sign On) functionality for enterprise and educational accounts using Azure Active Directory based on SAML2 (Security Assertion Markup Language).

This article will provide instructions for the administrator and SSO user to properly configure and complete a WACM login using the Azure Active Directory IdP for your organization. This article offers additional information beyond what is provided in the [WACM: Wasabi Account Control Manager](https://docs.wasabi.com/docs/wacm-wasabi-account-control-manager) documentation.

## Creating a WACM SSO Login

1. Log in to the [Azure Portal](https://portal.azure.com) (https://portal.azure.com).

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1714076512397.png)
2. Navigate to the Azure Active Directory.
3. Navigate to Enterprise application.
4. Click **New application**.
5. Click **Create your own application**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713990601902.png)
6. Name your Enterprise application and leave the application with the defaults. Click **Create**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713990628115.png)
7. Navigate to the newly created Enterprise application.
8. Click **Single sign-on** and select **SAML**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713990643797.png)
9. On the Basic SAML Configurations, click **Edit**.
10. Click **Save** once the URLs are pasted.
11. Copy and paste the following to the corresponding entries:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1714073222146.png)
  - [Audience URL (SP Entity ID) / Identifier (Entity ID)](https://wasabi-iam-prod-1.us.auth0.com/api/v2/) (https://wasabi-iam-prod-1.us.auth0.com/api/v2/)
  - [Single Sign On URL/ Reply URL](https://wasabi-iam-prod-1.us.auth0.com/login/callback) (https://wasabi-iam-prod-1.us.auth0.com/login/callback)
12. On the Single sign-on page, note the Login URL and Logout URL. You will need this when [Adding User Attributes](/v1/docs/draft-wacm-sso-with-azure-ad#adding-user-attributes%20%20), Step 14.

To include your organization's name in the login URL, configure SSO settings where "orgname" is your organization name, for example:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713990938672.png)
  - [WACM](https://wacm.wasabisys.com/en/wasabi/auth/login?organization=orgname) (https://wacm.wasabisys.com/en/wasabi/auth/login?organization=orgname)
  - [CCC](//yourconsole.poweredbywasabi.com/login?organization=orgname) (yourconsole.poweredbywasabi.com/login?organization=orgname)
13. Under SAML Certificate, click **Edit**. Download the SAML Signing Certificate as a PEM certificate.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713990973696.png)
14. When the SAML Signing Certificate window appears, click **...**to the right of the active certificate.
15. Click **PEM certificate download**. A .pem file will download. This file is needed for [Adding User Attributes](/v1/docs/draft-wacm-sso-with-azure-ad#adding-user-attributes%20%20), Step 14 when configuring the SSO in WACM.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991001020.png)

## Creating a Role

1. Return to the Azure Active Directory. Click **App registrations.**
2. Select the Enterprise application that you created.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991038068.png)
3. Click **App role** on the left-hand side. Click **Create app role**.

The name/value of the role should match the role name of one of the following WACM Roles.

> Uses dashes (-) instead of spaces. Example: For “Control Account Admin” use the Azure application role name "Control-Account-Admin".

Below are the WACM roles:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991102319.png)

For the Value, enter the same name as the display and role name that you will be creating in Wasabi.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991211268.png)
4. Click **Apply** when done.

## Assigning User(s) or Group(s) to a Role

You can assign user(s) or group(s) to a role that you created within the application so that the user(s) or group(s) can access WACM.

1. Return to the Enterprise application.
2. Navigate to users and groups.
3. Click **Add user/group**.
4. Choose the role created in [Creating a Role](https://docs.wasabi.com/docs/draft-wacm-sso-with-azure-ad#creating-a-role%20%20), Step 3.
5. Click **Assign**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991240925.png)

Optionally, you can add multiple users/groups to other WACM roles in this step.

## Adding User Attributes

1. In the Enterprise application, navigate to Single Sign-On.
2. Under Attributes & Claims, click **Edit**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991277924.png)
3. Click **Add new claim**.
4. In the Name field, type "groups."
5. Click **Claim conditions.**Include the following information in the new claim:
  - User type—Any (or another value that will match your use case)
  - Scoped Groups—Group(s) in Azure AD that you want to add (Add any user(s) granted access to the WACM Console to the group you select. The scoped group will have the “groups” attribute that is needed for WACM SSO.)
  - Source—Attribute
  - Value—user.assignedroles
6. Click **Save**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991343681.png)
7. Change the attributes Claim Names from the default names and delete the default value of the Namespace. Leave the claim value with the default values. Change the following Claim Names to authenticate to WACM. For more information, review the WACM Metadata file in the WACM Console.

For example:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1714066709300.png)

Default Values view:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991419369.png)

Values after change:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991436143.png)
  - From “emailaddress” to “email”
  - From “givenName” to “firstName”
  - From “surname” to “lastName”
  - Rename “Name” to “firstName”
  - Remove the “Namespace” value so it is empty.
8. Log in to the WACM Console you want to set up SSO for at the [](https://wacm.wasabisys.com/en/wasabi/auth/login)[Wasabi Account Control Manager](https://wacm.wasabisys.com/en/wasabi/auth/login) login page.
9. Navigate to the top right corner where your name is displayed. Click **My Profile**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991456256.png)
10. Once in your profile, select the **Account**tab.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991493397.png)
11. Scroll down and toggle the SSO (Single Sign On).
12. Click **Start SSO Configuration**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991527761.png)
13. Create an Organization Name. This Organization Name should be unique. You will need this Organization Name each time you sign in using WACM SSO. Once complete, click **Add Organization**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991543211.png)
14. Change the Connection Type from OpenID to SAML. Add the Login URL and, optionally, add the Logout URL (as described in [Creating a WACM SSO Login](https://docs.wasabi.com/docs/draft-wacm-sso-with-azure-ad#creating-a-wacm-sso-login%20%20), Step 12). Upload the .pem file (as described in [Creating a WACM SSO Login](https://docs.wasabi.com/docs/draft-wacm-sso-with-azure-ad#creating-a-wacm-sso-login%20%20), Step 13). Click **Save Connection**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991638888.png)

WACM SSO will match the WACM role names to the Azure Role in the “groups” name attribute. Any user with the Control-Account-Admin Azure role will be assigned the Control Account Admin role in WACM.
15. Test the [WACM SSO](https://wacm.wasabisys.com/) (https://wacm.wasabisys.com/).
16. Click **Sign in with SSO**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991792423.png)
17. Enter the Organization Name you created in Step 13 above.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1713991970443.png)

You will be redirected to the Azure AD login page.
18. Complete the Azure AD login.

Once authenticated, you will be redirected back to the WACM Console where you can perform the necessary functions based on the role assigned to the user.