- 19 Dec 2023
- 5 Minutes to read
- Print
- PDF
How do I use SSO for Wasabi Console access using Azure Active Directory?
- Updated on 19 Dec 2023
- 5 Minutes to read
- Print
- PDF
Wasabi supports SSO (Single Sign On) functionality for enterprise/educational accounts using Azure Active Directory based on SAML2 (Security Assertion Markup Language).
This knowledge base will provide the configuration instructions for the administrator and SSO user to properly configure and complete a Wasabi login using your organization's Azure Active Directory IdP. This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.
NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.
Below are the steps you will need to follow to accomplish SSO Logins using Azure Active Directory.
1. Log into your Azure Portal (https://portal.azure.com)
2. Navigate to the Azure Active Directory
3. You will first need to create a new Enterprise application.
Navigate to Enterprise application then click on New application
Click on Create your own application
4. Name your Enterprise application and leave the application with the defaults. Hit Create once naming the app.
5. Now click into the newly created Enterprise Application and click on Single sign-on and select on SAML
6a. Next hit Edit on the Basic SAML Configurations. Then hit Save once the URLs are pasted.
Copy and paste the following to the corresponding entries -
- Audience URL (SP Entity ID) / Identifier (Entity ID) - https://sso.wasabisys.com/saml
- Single Sign On URL/ Reply URL - https://sso.wasabisys.com/login/callback
On this page as well please download the Certificate (Base64) by clicking Download. You will also need to copy the Login URL and Logout URL (optional). We will need these later to enter into the Wasabi console.
6b. If you downloaded the Federation Metadata XML, you do not need the Login URL/Logout URL.
If you downloaded the Certificate (Base64) then you will also need to copy the Login URL and Logout URL. We will need these later to enter into the Wasabi console.
7. We will next create a role on the application in Azure. Return to the Azure Active Directory then click on App registrations, and select the Enterprise application you have created.
8. Click on App role on the left-hand side. Create a new app role within this application. Click on Create app role
Name the role and make note of the role name you created. (NOTE: Do NOT put any spaces in the role name because we will need to create the same role name within the Wasabi Console for authentication.)
For the Value please put in the same name as the display name and the role name you will be creating in Wasabi.
Click on Apply when done
9. Assign your user(s)/group(s) to this role within the application
Click back to Enterprise Application and go to Users and groups
Click on Add user/group to add users or groups to assign the role that you have created to have access to Wasabi as well.
Next choose the role that we created in step 8 and then hit Assign
10. Add an User Attributes to the application
In the Enterprise application go to Single sign-on and hit Edit under the Attributes & Claims
11. You will then Add new claim
You will need to put the information below into the new claim:
Name: groups
Click on Claim conditions
User type: Any (or another value that will match your use case)
Scoped Groups: Select group(s) in Azure AD that you wish to add. Make sure the user(s) you wish to be able to access the Wasabi Console is in the group you select.
Source: Attribute
Value: user.assignedroles
Then hit Save
12a. Now log in as the root email user on the Wasabi Web Console
Click on Settings on the left-hand side and click on SSO (Single Sign On) Tab:
Note: If you do not see an SSO (Single Sign On) tab then you are on a Wasabi Trial. This feature is only on paid accounts.
- Click on "Select Configuration SSO"
A pop will appear to add an Organization Name. (The Organization Name does have to be unique.)
12b. In Step 6b, if you choose to download the Federation Metadata XML follow the steps below:
(If you chose to download the Certificate (Base64) and want to manually the Azure Login URL then skip to Step 6c)
Click on "+ Choose File" and choose the "<Azure EnterpriseAppName.xml" file you downloaded in step 6b.
Then hit "Save" in the bottom right.
12c. In Step 6b, if you choose to download the Certificate (Base64) and want to manually the Azure Login URL follow the steps below:
- Select the "Enter details manually" radio button.
- Paste the Sign in URL from Step 6b.
- Upload the X509 Signing Certificate from Step 6b. Should be a .cer file.
- Paste the Sign Out URL (Optional)
Then hit "Save" in the bottom right.
13. A Wasabi role will need to be created in order for SSO roles to work in the Console. They must be assigned to users within your organization's Identity Provider, and be returned to Wasabi in SSO claims. Without this, we will be unable to match a user with a role.
Under the SSO tab, click on Create Role.
Note: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings.
14. A Create Role window will appear. Please enter the Azure role name you created in Step 8.
For the Wasabi role name use the same name as the Azure role name created in Step 8.
15. Now we will assign a Policy for this Role in order to give the user specific access. Hit "Create Role" once finished.
Note: you can give the role multiple policies.
Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console.
Note: This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.
You should now see the Wasabi Role you have created in the SSO tab in Settings.
16. Now test the Wasabi SSO. Please go to https://console.wasabisys.com
Click on "SIGN IN WITH SSO"
17. There are two ways to sign in with SSO to the Wasabi Account.
Two options are:
- Use the organization name you provided in 12a
or
- Use the Wasabi Root Account email address
18. It will now redirect you to the Azure AD login page. Please complete the Azure AD login. Once authenticated, it will redirect you back to the Wasabi Console where you can perform the necessary functions based on the Role assigned to the user.
For any issues or questions. Please contact via email to support@wasabi.com.