Contents x
      How do I use SSO for Wasabi Console access using Azure Active Directory?
      • 19 Dec 2023
      • 5 Minutes to read
      • Print
      • PDF
      Contents

      How do I use SSO for Wasabi Console access using Azure Active Directory?

      • Updated on 19 Dec 2023
      • 5 Minutes to read
      • Print
      • PDF
      Article summary

      Wasabi supports SSO (Single Sign On) functionality for enterprise/educational accounts using Azure Active Directory based on SAML2 (Security Assertion Markup Language).

      This knowledge base will provide the configuration instructions for the administrator and SSO user to properly configure and complete a Wasabi login using your organization's Azure Active Directory IdP. This article provides additional information beyond what is provided in the  Wasabi Management Console Guide for this feature. 

      NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

      Below are the steps you will need to follow to accomplish SSO Logins using Azure Active Directory.

      1. Log into your Azure Portal (https://portal.azure.com)

      2. Navigate to the Azure Active Directory

      3. You will first need to create a new Enterprise application.

      Navigate to Enterprise application then click on New application

      Newapplication.PNG

      Click on Create your own application

      CreateNewApplication.PNG

      4. Name your Enterprise application and leave the application with the defaults. Hit Create once naming the app. 

      NewName.PNG

      5. Now click into the newly created Enterprise Application and click on Single sign-on and select  on SAML

      ChooseSSO.PNG

      6a. Next hit Edit on the Basic SAML Configurations. Then hit Save once the URLs are pasted. 

      Copy and paste the following to the corresponding entries -

      - Audience URL (SP Entity ID) / Identifier (Entity ID) - https://sso.wasabisys.com/saml

      - Single Sign On URL/ Reply URL - https://sso.wasabisys.com/login/callback

      Screen

      On this page as well please download the Certificate (Base64) by clicking Download. You will also need to copy the Login URL and Logout URL (optional). We will need these later to enter into the Wasabi console.

      6b. If you downloaded the Federation Metadata XML, you do not need the Login URL/Logout URL.

      If you downloaded the Certificate (Base64) then you will also need to copy the Login URL and Logout URL. We will need these later to enter into the Wasabi console.

      Screen

      7. We will next create a role on the application in Azure. Return to the Azure Active Directory then click on App registrations, and select the Enterprise application you have created. 

      AppRegi.PNG

      8. Click on App role on the left-hand side. Create a new app role within this application. Click on Create app role

      Name the role and make note of the role name you created. (NOTE: Do NOT put any spaces in the role name because we will need to create the same role name within the Wasabi Console for authentication.) 

      For the Value please put in the same name as the display name and the role name you will be creating in Wasabi. 

      Click on Apply when done

      Createapprole.PNG

      9. Assign your user(s)/group(s) to this role within the application

      Click back to Enterprise Application and go to Users and groups
      Click on       Add user/group to add users or groups to assign the role that you have created to have access to Wasabi as well.
      Next choose the role that we created in step 8 and then hit       Assign

      RoleAssignment.PNG

       

      10. Add an User Attributes to the application
      In the Enterprise application go to Single sign-on and hit Edit under the Attributes & Claims

      Screen

       

      11. You will then Add new claim

      You will need to put the information below into the new claim:

      • Name: groups

      Click on Claim conditions

      • User type: Any (or another value that will match your use case)

      • Scoped Groups: Select group(s) in Azure AD that you wish to add. Make sure the user(s) you wish to be able to access the Wasabi Console is in the group you select. 

      • Source: Attribute

      • Value: user.assignedroles

      Then hit Save

      Screen Shot 2023-09-01 at 12.43.36 PM.png

      Screen

      12a. Now log in as the root email user on the Wasabi Web Console

      Click on Settings on the left-hand side and click on SSO (Single Sign On) Tab:

      Note: If you do not see an SSO (Single Sign On) tab then you are on a Wasabi Trial. This feature is only on paid accounts.

      - Click on "Select Configuration SSO"

      A pop will appear to add an Organization Name. (The Organization Name does have to be unique.)

      12b. In Step 6b, if you choose to download the Federation Metadata XML follow the steps below:

      (If you chose to download the Certificate (Base64) and want to manually the Azure Login URL then skip to Step 6c)

      Click on "+ Choose File" and choose the "<Azure EnterpriseAppName.xml" file you downloaded in step 6b.

      Then hit "Save" in the bottom right.

      12c. In Step 6b, if you choose to download the Certificate (Base64) and want to manually the Azure Login URL follow the steps below:

      - Select the "Enter details manually" radio button.

      - Paste the Sign in URL from Step 6b.

      - Upload the X509 Signing Certificate from Step 6b. Should be a .cer file.

      - Paste the Sign Out URL (Optional)

      Then hit "Save" in the bottom right.

      13. A Wasabi role will need to be created in order for SSO roles to work in the Console. They must be assigned to users within your organization's Identity Provider, and be returned to Wasabi in SSO claims. Without this, we will be unable to match a user with a role.

      Under the SSO tab, click on Create Role.

      Note: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings.

      14. A Create Role window will appear. Please enter the Azure role name you created in Step 8. 

      For the Wasabi role name use the same name as the Azure role name created in Step 8.

      Screen

      15. Now we will assign a Policy for this Role in order to give the user specific access. Hit "Create Role" once finished. 

      Note: you can give the role multiple policies.

      Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console. 

      Screen

       

      Note: This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

      You should now see the Wasabi Role you have created in the SSO tab in Settings.

      Screen

      16. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

      Click on "SIGN IN WITH SSO"

      Screen

      17. There are two ways to sign in with SSO to the Wasabi Account.

      Two options are:

      - Use the organization name you provided in 12a

      or

      - Use the Wasabi Root Account email address

      18. It will now redirect you to the Azure AD login page. Please complete the Azure AD login. Once authenticated, it will redirect you back to the Wasabi Console where you can perform the necessary functions based on the Role assigned to the user.

      Screen

      For any issues or questions. Please contact via email to support@wasabi.com.

      What's Next
      Copyright © 2024 by Wasabi Technologies LLC
      75 Arlington Street, Suite 810, Boston, MA 02116 USA
      All Rights Reserved
      Visit us at https://wasabi.com.
      WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

      Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.