How do I use SSO for Wasabi Console access using SAML integration with OneLogin?

Wasabi supports SSO (Single Sign On) functionality for Wasabi accounts using the OneLogin (Identity provider) system based on SAML integration.  This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organizations OneLogin SSO system.

This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature. 

 

NOTE: In order to configure Wasabi SSO, you will need to be a paid Wasabi account and log in as the root Wasabi email address.

 

1.  Begin by logging into the OneLogin account. Go to the Administrator view. Click on Applications --> Applications. Then Click Add App

 

 

2. Search for “saml test” in the search bar and select “SAML Test Connector (IdP)

 

 

 

3. Give a name for this Application. Hit Save once named. 

 

4. Once save go to Configuration and fill in the following:

Audience - https://sso.wasabisys.com/saml

ACS (Consumer) URL Validator - https://sso.wasabisys.com/login/callback

ACS(Consumer) URL - https://sso.wasabisys.com/login/callback

Hit Save once filled in. 

 

 

5. Next go to Parameter on the left-hand side. Click the + sign on SAML Test Connector (IdP) Field to add a SAML assertion.

 

6. A pop-up will appear and in the Field name type in "groups" and check the Include in SAML assertion. Then hit Save

 

On the next screen put the Value as User Roles from the dropdown.

 

7. We will be + again to create another parameter. Name this one "email" and check the Include in SAML assertion

 

On the next screen put the Value as Email in the dropdown.

 

8. On the application go to SSO and hit View Details under the X509 Certificate 

Next Download the certificate. Leave the certificate in x.509 PEM format. 

 

9. We will need to create roles to assign to the roles to the Wasabi role. Go to Users --> Roles

 

 

Name the OneLogin role and click on the App we created Step 3. In this example I used "WasabiAdmin"

Note: Name the role with no spaces. We will need to use the same name for the Wasabi Role.

 

 

10. We will need add the users you wish to give access to the Wasabi console into the role you just created in Step 9. Go to Users --> Users 

Screen

 

Click on the User you wish to give access to the Wasabi console. Click on Applications and select the WasabiAdmin role. Once selected click Save User in the top right.

 

11. Go back to the application you created in Step 2. Go to the SSO tab on the left side. 

Copy the SAML 2.0 Endpoint (HTTP) - note this URL down, we will need this URL to be input into the Wasabi Console. Screen

 

12. Next open a new tab or window and head to https://console.wasabisys.com to log into your root Wasabi email account. Go to Settings on the left-hand side and expand the SSO (Single Sign On)

Note: The Wasabi account does need to be a paid account in order to configure the SSO. 

 

12a.  Click on Select Configuration and switch to SAML

12b. Paste in the URL that you have copied in Step 11

12c. Click on the + CHOOSE FILE and select the x509 certificate you downloaded in Step 8

 

Hit SAVE CONNECTION once the information has been filled out. 

Screen

 

13. A Wasabi role will need to be created in order for the SSO roles to work in the Console. They must be assigned to users within your organization's Identity Provider, and be returned to Wasabi in SSO claims. Without this, we will be unable to match a user with a role.

Click on Create Role in the SSO tab in Settings. 

Note: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings. 

 

14. A Create Role window will appear. Please enter the OneLogin role name you created in Step 9. 

For the Wasabi role name use the same name as the OneLogin role name created in Step 9.

 

Screen

 

15. Now we will assign a Policy for this Wasabi Role in order to give the user specific access. Hit "Create Role" once finished. 

Note: you can give the role multiple policies.

Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console. 

Note:  This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

 

You should now see the Wasabi Role you have created in the SSO tab in Settings. 

 

 

16. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

Click on "SIGN IN WITH SSO"

Screen

 

17. Enter the Wasabi Root user email address. 

Screen

18. It will now redirect you to the OneLogin AD login page. Please complete the Onelogin login. Once authenticated, it will redirect you back to the Wasabi Console where you can perform the necessary functions based on the Role/Policy assigned to the user.

 

Screen

 

For any issues or questions. Please contact via email to support@wasabi.com 

 

 

 

 

 

 

Have more questions? Submit a request