How do I use SSO for Wasabi Console access using Shibboleth and SAML2

Wasabi now supports SSO (Single Sign On) functionality for enterprise/educational accounts using the Shibboleth IdP (Identity provider) system based on SAML2 (Security Assertion Markup Language).

This document will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organizations Shibboleth SSO system.  This article provides additional information beyond what is is provided in the Wasabi Management Console Guide for this feature.  In order to enable SSO for your organization, please contact Wasabi Support.


Administrative SSO Configuration

The Wasabi configuration for the Shibboleth SSO system requires that the administrator configure the following parameters in the Wasabi Console.

1.  Log into the Wasabi Console

2.  Select My Profile from the 'more' ellipse in the upper right cornermceclip1.png

3.  Select the Settings Menu from this page

4.  Scroll to the SSO configuration window and Select Configure SSO


5.  The following window will appear. Select Create New Provider


6.  The configuration for your Auth Provider will appear as below.


Provider Name - A nickname for the provider

Protocol Type - Select the default SAML2 Protocol

Metadata URL - Wasabi publicly publishes the Metadata URL.  Please enter

Entity Id - Globally unique name for a SAML entity

Wasabi Role Prefix - Any role prefix that may be configured such as wasabi-admin or wasabi-readOnly (See Footnote below)

Select CREATE once all of the necessary parameters are configured.


SSO User Configuration for Wasabi Console Access

In order for a SSO user to properly connect to the Wasabi Console the user will be required to use the following URL:

7.  Selecting the above URL will provide the user with the Enterprise Login as shown below:


Enter the ProviderId as provided by the SSO administrator.

8.  Select a role (The drop down menu may contain a list of roles configured in the SSO system that will correspond to the Wasabi Console Roles configuration)


Select Continue.

9.  The SSO user is now connected to the Wasabi Console having been authenticated by the Shibboleth SSO system and will be able to perform the necessary functions based on the Role assigned to them.



The SSO authentication is followed by an authorization provided by the SAML group attribute assertion where the NAME configured is required to match an existing Role defined in the Wasabi Management Console.

The below example is of two roles created NAME wasabi-admin and wasabi-readOnly as examples.

<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ saml2:AuthnContextClassRef>

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

<saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml2:AttributeValue xmlns:xs="" xmlns:xsi=""


</saml2:Attribute> <saml2:Attribute Name="FirstName"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs=""

xmlns:xsi="" xsi:type="xs:string">Larry</saml2:AttributeValue>

</saml2:Attribute> <saml2:Attribute Name="LastName"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs=""

xmlns:xsi="" xsi:type="xs:string">Smith</saml2:AttributeValue>

<saml2:Attribute Name=""

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs=""


xsi:type="xs:string">wasabi-admin</saml2:AttributeValue> <saml2:AttributeValue xmlns:xs=""

xmlns:xsi="" xsi:type="xs:string">wasabi-readOnly</saml2:AttributeValue>

</saml2:Attribute> </saml2:AttributeStatement>

</saml2:Assertion> </saml2p:Response> 
Have more questions? Submit a request