SSO for Wasabi Console Access Using SAML2 Integration With JumpCloud

  • Updated on Dec 10, 2025
  • Published on Dec 18, 2023
  • 4 minute(s) read
Prev Next

Wasabi offers Single Sign-On (SSO) functionality for Wasabi accounts using the JumpCloud (identity provider) system, based on SAML2 (Security Assertion Markup Language) integration.

This article provides configuration instructions for both the IdP administrator and the SSO user to properly configure and complete a Wasabi Console login using your organization's JumpCloud SSO service. It also includes additional details beyond those provided in the Wasabi Management Console Guide for this feature.  

To configure Wasabi SSO, you must have a paid account and log in as the Root Wasabi email address. For more information, contact support@wasabi.com.

Configuring SAML App in JumpCloud (IdP Side)

  1. Log in to your admin account at jumpcloud.com as an Administrator.

  2. Select SSO in the left menu and click Add New Application in the Configured Applications panel.

  3. Click Custom SAML App at the bottom of the panel.

  4. In the SSO tab Application Information section, enter the application name in the Display Label box, for example, "Wasabi-SSO."

  5. In the Single Sign-On Configuration section, enter the following:

    — IdP Entity ID: Wasabi
    NOTE: The IdP entity ID is the unique, case-sensitive identifier used by JumpCloud for this service provider. Be sure that the value you enter matches the Identity Provider entity ID you configured on the Wasabi Console SSO configuration page.

    — SP Entity ID: https://sso.wasabisys.com/saml

    — ACS URL: https://sso.wasabisys.com/login/callback

  6. Scroll down to the Signature Algorithm section and perform the following:

    — Check Sign Assertion.

    —  Enter the Login URL: https://console.wasabisys.com.

    — In the User Attribute Mapping box, click add attribute and then enter the Service Provider Attribute Name as email, and select email from the JumpCloud Attribute Name drop-down.

    — In the Group Attributes box, check Include group attribute and type groups.

  7. Click Activate. A confirmation dialog is displayed.

    NOTE: SSO role mapping is based on the group names you create.

  8. Click Continue to create an SSO connector.

  9. Select User Groups in the left menu. You can create user groups based on your personal or company use case.
    NOTE:  User group settings depend on your organization's requirements.

  10. To add a new user group, click the green "+" sign. The New User Group panel is displayed.

  11. In the Details tab Group Configuration section, enter a group name in the Name box, for example: “WasabiAdmin.” Click Save.

    NOTE: The group name must match the Wasabi role name in the Wasabi Console, which we will create later.

  12. Select the Users tab. Check the users to add to the user group.

  13. Select the Applications tab. Check the applications for the user group. Click Save.

  14. Now, you will download the IDP certificate. To do so, select SSO in the left menu, then choose the application you previously created.

  15. In the Single Sign-On pane, select the IDP Certificate Valid drop-down and choose Download Certificate. The .pem file will be downloaded.

  16. In the SSO tab, scroll down to the IDP URL box and copy the URL.

Configuring SAML Settings in Wasabi Console (SP / Client Side)

  1. Sign in to the Wasabi Console at https://console.wasabisys.com/login using a Root account email.

  2. Click Settings in the left menu, then select the SSO (Single Sign On) tab.
    NOTE: If you do not see the SSO (Single Sign On) tab, then you are using a Wasabi Console trial account. This feature is only available to paid accounts.

  3. In the Select Configuration section drop-down, select SAML.

  4. In the SAML Connection section General box, paste the URL previously copied.

  5. In the X509 Signing Certificate box, upload the IDP certificate (.pem file).

  6. Click Save Connection.

  7. In the SSO tab, click Create Role to create an SSO role in the Wasabi Console. The SSO role must be assigned to users within your organization's Identity Provider and returned to Wasabi in SSO claims to match a user to a role.
    NOTE: Do not create the role through the Roles tab in the left menu. SSO roles must be created through the SSO tab in Settings.

  8. In the Create Role dialog, enter the name you created in the JumpCloud Details tab, for example, “WasabiAdmin.” Click Next.

  9. In the Assign Role Policies panel, select one or more policies for this new role to provide user-specific access. Click Create Role.
    For more information on default policies or creating your own IAM policies for the Wasabi Console, see What are the default policies available in the Wasabi Console?

    NOTE: This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.
    You should not see the Wasabi Role you created in the SSO tab in Settings.

Testing the Integration

  1. Sign in to the Wasabi Console at https://console.wasabisys.com to test the SO configuration.

  2. Enter the Wasabi Console Root user email address. Click Continue.

    You are redirected to the JumpCloud log in page of your IdP. Sign in as the user who has access to the Wasabi Console application.

    Once you have successfully logged in with your company's JumpCloud username/password, you are then redirected to the Wasabi Console.

    NOTE: Your view of the Wasabi Console may differ depending on the IAM policy set for the SSO role you created.
    For issues or questions, contact support@wasabi.com.