How do I use SSO for Wasabi Console access using Shibboleth and SAML2

Wasabi supports SSO (Single Sign On) functionality for enterprise/educational accounts using the Shibboleth IdP (Identity provider) based on SAML2 (Security Assertion Markup Language).

This document will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organizations Shibboleth SSO IdP.  This article provides additional information beyond what is is provided in the Wasabi Management Console Guide for this feature.  In order to enable SSO for your organization, please contact Wasabi Support.

Below are the steps you will need to follow to accomplish SSO Logins.

A. User SSO Configuration

B. Shibboleth Administrator Configuration

C. Role Creation

D. SSO Enterprise Login

A. User SSO Configuration for the Wasabi Console

The Wasabi configuration for the Shibboleth SSO IdP requires that the user configure the following parameters in the Wasabi Console.

1.  Log into the Wasabi Console

2.  Select "My Profile" from the 'more' ellipse in the upper right cornermceclip1.png

3.  Select the "Settings" menu from this page

4.  Scroll to the "Single Sign On" window and select "Configure SSO"

mceclip3.png

5.  The following window will appear. Select "Create New Provider"

mceclip4.png

6.  The configuration for your Auth Provider will appear as below.

mceclip5.png

Provider Name - A nickname for the provider

Protocol Type - Select the default SAML2 Protocol

Metadata URL - Shibboleth admin is required to configure a Wasabi application to enable the IdP to authenticate a Wasabi Console user. (See section B)

Entity Id - Globally unique name for a SAML entity (Optional)

Wasabi Role Prefix - Any role prefix that may be configured such as wasabi-admin or wasabi-readOnly (See Section C below)

Select "CREATE" once all of the necessary parameters are configured as per Section B & C.

B. Shibboleth Administrator Configuration for Wasabi Console

The Shibboleth SSO IdP requires the SAML XML metadata for the necessary interaction with the SAML enabled SP (Wasabi).  

7.) Wasabi's metadata can be found here https://auth.wasabisys.com/v1/saml/metadata

8.) The attributes used in the SAML assertion are shown below: (see section C for Role)

<md:RequestedAttribute FriendlyName="RoleEntitlement" Name="https://auth.wasabisys.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" isRequired="true" />

9.) The administrator can now create the Metadata URL.

10.) The Shibboleth admin is required to provide the Metadata URL created in step 9 to the user.  The Metadata URL is used to complete the SSO Wasabi Console configuration to generate the ProviderID

11.) Once the Wasabi user configures the Metadata URL in the Wasabi console configuration "MetaData URL *Required" and Selects "CREATE", will result in the <providerID> parameter for the Wasabi Console user to configure their session in Section D

12.) Use the ProviderID created in the previous step 11 when using SSO to connect to the Wasabi Console application.

 C. Role Creation

The SSO authentication is followed by an authorization provided by the SAML group attribute assertion where the NAME configured is required to match an existing Role defined in the Wasabi Console.

The example below is a Role created NAME "wasabi-admin".  This Role will be given full admin rights based on the example policy added to the Role. 

Using the Wasabi Console please follow the steps below to create a Role and assign it either to the user or group

13.) Select "IAM" from the upper menu and then select "Roles" in the side menu

mceclip0.png

14.) Click "CREATE ROLE"

15.) Cut and Paste the Policy below in to the "Create Role Window" after editing the IAM and saml-provider with the correct values.

16.) Enter the Users IAM ARN to replace 1000000XXXXX

Enter the Provider ID to replace XXXXXXXXXXXXXX

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::1000000XXXXX:saml-provider/XXXXXXXXXXXXXX"
},
"Action": "sts:AssumeRoleWithSAML"
}
]
17.) Enter <Wasa> on the "Attach Policy To Role" field and a list of selections will appear
18.) Select "WasabiAdministratorAccess"
19.) Exit out
 
mceclip1.png
 

D. SSO Enterprise User Login to Wasabi Console

In order for a SSO user to properly connect to the Wasabi Console the user will be required to use the following URL:

https://auth.wasabisys.com

20.)  Selecting the above URL will provide the user with the Enterprise Login as shown below:

mceclip6.png

Enter the ProviderId as provided in step 11.

21.)  Select a role (The drop down menu may contain a list of roles configured in the SSO system that will correspond to the Wasabi Console Roles configuration)

mceclip7.png

Select "Continue"

22.)  The SSO user is now connected to the Wasabi Console having been authenticated by the Shibboleth SSO IdP and will be able to perform the necessary functions based on the Role assigned to the user.

 
 
Have more questions? Submit a request