Wasabi supports SSO (Single Sign On) functionality for enterprise/educational accounts using the Shibboleth IdP (Identity provider) based on SAML2 (Security Assertion Markup Language).
This document will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organizations Shibboleth SSO IdP. This article provides additional information beyond what is is provided in the Wasabi Management Console Guide for this feature. In order to enable SSO for your organization, please contact Wasabi Support.
Below are the steps you will need to follow to accomplish SSO Logins.
The Wasabi configuration for the Shibboleth SSO IdP requires that the user configure the following parameters in the Wasabi Console.
1. Log into the Wasabi Console
2. Select "My Profile" from the 'more' ellipse in the upper right corner
3. Select the "Settings" menu from this page
4. Scroll to the "Single Sign On" window and select "Configure SSO"
5. The following window will appear. Select "Create New Provider"
6. The configuration for your Auth Provider will appear as below.
Provider Name - A nickname for the provider
Protocol Type - Select the default SAML2 Protocol
Metadata URL - Shibboleth admin is required to configure a Wasabi application to enable the IdP to authenticate a Wasabi Console user. (See section B)
Entity Id - Globally unique name for a SAML entity (Optional)
Wasabi Role Prefix - Any role prefix that may be configured such as wasabi-admin or wasabi-readOnly (See Section C below)
Select "CREATE" once all of the necessary parameters are configured as per Section B & C.
B. Shibboleth Administrator Configuration for Wasabi Console
The Shibboleth SSO IdP requires the SAML XML metadata for the necessary interaction with the SAML enabled SP (Wasabi).
7.) Wasabi's metadata can be found here https://auth.wasabisys.com/v1/saml/metadata
8.) The attributes used in the SAML assertion are shown below: (see section C for Role)
<md:RequestedAttribute FriendlyName="RoleEntitlement" Name="https://auth.wasabisys.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" isRequired="true" />
9.) The administrator can now create the Metadata URL.
10.) The Shibboleth admin is required to provide the Metadata URL created in step 9 to the user. The Metadata URL is used to complete the SSO Wasabi Console configuration to generate the ProviderID
11.) Once the Wasabi user configures the Metadata URL in the Wasabi console configuration "MetaData URL *Required" and Selects "CREATE", will result in the <providerID> parameter for the Wasabi Console user to configure their session in Section D
12.) Use the ProviderID created in the previous step 11 when using SSO to connect to the Wasabi Console application.
The SSO authentication is followed by an authorization provided by the SAML group attribute assertion where the NAME configured is required to match an existing Role defined in the Wasabi Console.
The example below is a Role created NAME "wasabi-admin". This Role will be given full admin rights based on the example policy added to the Role.
Using the Wasabi Console please follow the steps below to create a Role and assign it either to the user or group
13.) Select "IAM" from the upper menu and then select "Roles" in the side menu
14.) Click "CREATE ROLE"
15.) Cut and Paste the Policy below in to the "Create Role Window" after editing the IAM and saml-provider with the correct values.
16.) Enter the Users IAM ARN to replace 1000000XXXXX
Enter the Provider ID to replace XXXXXXXXXXXXXX
In order for a SSO user to properly connect to the Wasabi Console the user will be required to use the following URL:
20.) Selecting the above URL will provide the user with the Enterprise Login as shown below:
Enter the ProviderId as provided in step 11.
21.) Select a role (The drop down menu may contain a list of roles configured in the SSO system that will correspond to the Wasabi Console Roles configuration)
22.) The SSO user is now connected to the Wasabi Console having been authenticated by the Shibboleth SSO IdP and will be able to perform the necessary functions based on the Role assigned to the user.