How do I use SSO for Wasabi Console access using Shibboleth and SAML2
    • 18 Dec 2023
    • 2 Minutes to read
    • PDF

    How do I use SSO for Wasabi Console access using Shibboleth and SAML2

    • PDF

    Article summary

    Wasabi supports SSO (Single Sign On) functionality for enterprise/educational accounts using the Shibboleth IdP (Identity provider) based on SAML2 (Security Assertion Markup Language).

    This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Shibboleth SSO service.  This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.

    NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

    Before setting up Shibboleth IdP with the Wasabi Console, you will need the following to input into the Wasabi console.

    - Shibbeloth Sign on URL

    - Shibboleth x509 Signing Certificate

    1a. Log into the Wasabi console using the root account email address. 

    Point a web browser to https://console.wasabisys.com 

    Screen Shot 2023-08-07 at 12.50.05 PM.png

    1b. Once logged in as the root Wasabi email address. Navigate to Settings on the left menu. 

    Scroll down the settings to SSO (Single Sign On) 

    Configure the connection type to SAML

    Input the Sign on URL from your Shibboleth Set Up

    Upload the x509 Singing Certificate to the Wasabi console.

    Screen Shot 2023-06-14 at 3.29.02 PM.png

    Hit Save connection once set. 

    1c. Please note down the Callback URL and Audience URL from the same SSO settings tab for the Shibboleth application.

    2a. Create a Wasabi Role

    Scrolling down you will see a Create Role button
    blobid37.png2b. A create role popup will appear. Please enter a role name. 

    Note this role name, you will need to add this to the Attribute Value in Step 3.
    Screen Shot 2023-06-14 at 4.43.14 PM.png

    The user-assigned role in Shibboleth will be assigned to the same Wasabi role.

    Now we will assign a Policy for this Role in order to give the user specific access.
    Hit "Create Role" once finished. 

    Note: you can give the user multiple policies if you like for this role.

    Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console.

    blobid38.png

    Note:  This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

    You should now see the Wasabi Role you have created in the SSO tab in Settings.

    Screen

    3. Shibboleth Administrator Configuration for Wasabi Console

    The attributes used in the SAML assertion are shown below:

    Please direct the attribute name to: http://schemas.auth0.com/https://sso.wasabisys.com/groups
    The Attribute Value is the Wasabi role name you created in Step 2b.

    Below is an example of the SAML Group assertion. 
    NOTE: Change the Attribute Value to the role name you wish to use. The role name needs to be the exact same value in the Wasabi role as well. (No spaces)

    saml:Attribute Name="http://schemas.auth0.com/https://sso.wasabisys.com/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    CHANGE_ME_FOR_WASABI_ROLE_NAME
    

    Below is an example of the SAML Email assertion. Needed as well. This email will show on the audit logs and User ID on the console. 

    NOTE: Change the Attribute Value to the email address of the user logging through the IdP. 

    
       http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">EMAILADDRESS
    


    Input the following URLs into the Shibboleth setting to point back to the Wasabi SSO:
    Wasabi SSO Callback URL
    : https://sso.wasabisys.com/login/callback

    Audience URL: https://sso.wasabisys.com/login/callback

    4. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

    Click on "SIGN IN WITH SSO"

    Screen

    5. Enter the Wasabi Root user email address. 

    Screen

     

    6. This should re-direct you to the Shibbeloth login page of your IdP. Enter the username/password of your company's SSO. 

    7. Once you have successfully logged in with your company's IdP username/password. You will be then redirected back to the Wasabi Console. 

    Screen

    Note: your view of the Wasabi console may look different due to the IAM policy set under the SSO role you have created. 

    For any issues or questions. Please contact via email to support@wasabi.com