How do I use SSO for Wasabi Console access using Azure Active Directory?

Wasabi supports SSO (Single Sign On) functionality for enterprise/educational accounts using Azure Active Directory based on SAML2 (Security Assertion Markup Language). 

 

This knowledge base will provide the configuration instructions for the administrator and SSO user to properly configure and complete a Wasabi login using your organization's Azure Active Directory IdP. This article provides additional information beyond what is provided in the  Wasabi Management Console Guide for this feature. 

NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

 

Below are the steps you will need to follow to accomplish SSO Logins using Azure Active Directory.

 

1. Log into your Azure Portal (https://portal.azure.com

 

2. Navigate to the Azure Active Directory

 

3. You will first need to create a new Enterprise application.

Navigate to Enterprise application then click on New application

Newapplication.PNG

 

Click on Create your own application

CreateNewApplication.PNG

 

 

4. Name your Enterprise application and leave the application with the defaults. Hit Create once naming the app. 

NewName.PNG

 

5. Now click into the newly created Enterprise Application and click on Single sign-on and select  on SAML

ChooseSSO.PNG

 

6a. Next hit Edit on the Basic SAML Configurations. Then hit Save once the URLs are pasted. 

Copy and paste the following to the corresponding entries -

- Audience URL (SP Entity ID) / Identifier (Entity ID) - https://sso.wasabisys.com/saml

- Single Sign On URL/ Reply URL - https://sso.wasabisys.com/login/callback

 

 

Screen

 

On this page as well please download the Federation Metadata XML or Certificate (Base64)  by clicking Download.

 

6b. If you downloaded the Federation Metadata XML, you do not need the Login URL/Logout URL.

If you downloaded the Certificate (Base64) then you will also need to copy the Login URL and Logout URL. We will need these later to enter into the Wasabi console. 

 

Screenshot 2023-12-12 141029.jpg

 

7. We will next create a role on the application in Azure. Return to the Azure Active Directory then click on App registrations, and select the Enterprise application you have created. 


AppRegi.PNG

 

8. Click on App role on the left-hand side. Create a new app role within this application. Click on Create app role

Name the role and make note of the role name you created. (NOTE: Do NOT put any spaces in the role name because we will need to create the same role name within the Wasabi Console for authentication.) 

For the Value please put in the same name as the display name and the role name you will be creating in Wasabi. 

Click on Apply when done

 

Createapprole.PNG

 

9. Assign your user(s)/group(s) to this role within the application

Click back to Enterprise Application and go to Users and groups
Click on Add user/group to add users or groups to assign the role that you have created to have access to Wasabi as well.
Next choose the role that we created in step 8 and then hit Assign

 

RoleAssignment.PNG

 

10. Add an User Attributes to the application
In the Enterprise application go to Single sign-on and hit Edit under the Attributes & Claims

 

Screen

 

11. You will then Add new claim

You will need to put the information below into the new claim:

  • Name: groups

Click on Claim conditions

  • User type: Any (or another value that will match your use case)
  • Scoped Groups: Select group(s) in Azure AD that you wish to add. Make sure the user(s) you wish to be able to access the Wasabi Console is in the group you select. 
  • Source: Attribute
  • Value: user.assignedroles

Then hit Save

Screen Shot 2023-09-01 at 12.43.36 PM.png

 

Screen

12a. Now log in as the root email user on the Wasabi Web Console

Click on Settings on the left-hand side and click on SSO (Single Sign On) Tab:

Note: If you do not see an SSO (Single Sign On) tab then you are on a Wasabi Trial. This feature is only on paid accounts. 

- Click on "Start Configuration SSO"

 

A pop will appear to add an Organization Name. (The Organization Name does have to be unique.)

addname.png

Now choose the Connection Method to SAML.

 

12b. In Step 6b, if you choose to download the Federation Metadata XML follow the steps below:

(If you chose to download the Certificate (Base64) and want to manually the Azure Login URL then skip to Step 6c)

 

Click on "+ Choose File" and choose the "<Azure EnterpriseAppName.xml" file you downloaded in step 6b.

Then hit "Save" in the bottom right. 

 

- Metadata.jpg

 

 

12c. In Step 6b, if you choose to download the Certificate (Base64) and want to manually the Azure Login URL follow the steps below:

- Select the "Enter details manually" radio button.

- Paste the Sign in URL from Step 6b. 

- Upload the X509 Signing Certificate from Step 6b. Should be a .cer file.

- Paste the Sign Out URL (Optional) 

Then hit "Save" in the bottom right.

 

Manual.jpg

 

13. A Wasabi role will need to be created in order for SSO roles to work in the Console. They must be assigned to users within your organization's Identity Provider, and be returned to Wasabi in SSO claims. Without this, we will be unable to match a user with a role.

Under the SSO tab, click on Create Role.

Note: Do NOT create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings. 

 

role.png

 

14. A Create Role window will appear. Please enter the Azure role name you created in Step 8. 

For the Wasabi role name use the same name as the Azure role name created in Step 8.

Screen

 

15. Now we will assign a Policy for this Role in order to give the user specific access. Hit "Create Role" once finished. 

Note: you can give the role multiple policies.

Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console. 

Screen

 

Note:  This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

 

You should now see the Wasabi Role you have created in the SSO tab in Settings. 

 

Screen

16. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

Click on "SIGN IN WITH SSO"

 

Screen

 

17. There are two ways to sign in with SSO to the Wasabi Account. 

Two options are:

- Use the organization name you provided in 12a 

or

- Use the Wasabi Root Account email address 

console.png

18. It will now redirect you to the Azure AD login page. Please complete the Azure AD login. Once authenticated, it will redirect you back to the Wasabi Console where you can perform the necessary functions based on the Role assigned to the user.

 

Screen

 

For any issues or questions. Please contact via email to support@wasabi.com 

 

Have more questions? Submit a request