Contents x
      SSO for Wasabi Account Control Manager and Custom Cloud Console in Okta IdP
      • 10 Sep 2024
      • 3 Minutes to read
      • Print
      • PDF
      Contents

      SSO for Wasabi Account Control Manager and Custom Cloud Console in Okta IdP

      • Updated on 10 Sep 2024
      • 3 Minutes to read
      • Print
      • PDF
      Article summary

      OpenID Connect

      1. Log in to your Okta account.  
      2. Create a new Web Application with the following considerations:
        • Sign-in URL is the Callback URL
        • Enable the Implicit token (with both checkboxes) and Authorization Code
        • Discovery URL = tenant URL + .well-known/openid-configuration
        • Client ID and Client Secret we get from Application > General in Okta
        • Add the Groups claim filter with filter matches regex and value:
          (Control Account|Governance( Plus)?|Channel Account) (Admin|Staff( \(Lite\))?|Viewer)|Read Only|Download Only|Full Access( Limited)?|Administrator|Root 
      3. Directory > People is where you can create a new user.
      4. Directory > Groups is where you need to add the groups that are linked to the user roles.
      5. Go to the Application and assign the groups/users to the application.
      6. Finish configuring the SSO in WACM/CCC.
      7. Log in as an SSO user. To include your organization's name in the login URL, configure SSO settings where "orgname" is your organization name, for example:
        • WACM: https://wacm.wasabisys.com/en/wasabi/auth/login?organization=orgname
        • CCC: yourconsole.poweredbywasabi.com/login?organization=orgname 

      OIDC Configuration Example

      Discovery Endpoint:
[Discovery Endpoint here]

Client ID:
[Client ID here]

Client Secret:
[Client Secret here]

      SAML

      1. Log in to your Okta account. 
      2. On the left side menu, click Applications.
      3. Click the Create App Integration button.
      4. Choose SAML 2.0, and click Next.
      5. Enter the App name and click Next.
      6. Single sign-on URL is the Callback URL you can get from WACM/CCC SSO configuration settings. To include your organization's name in the login URL, configure SSO settings where "orgname" is your organization name, for example:
        • WACM: https://wacm.wasabisys.com/en/wasabi/auth/login?organization=orgname 
        • CCC: yourconsole.poweredbywasabi.com/login?organization=orgname 
      7. Audience URI (SP Entity ID) is the Audience URL you can get from WACM/CCC SSO configuration settings.
      8. Click Show Advanced Settings.
      9. On Assertion Encryption, choose Encrypted.
      10. On WACM/CCC, download the Metadata.
      11. Open the file and save the X509Certificate to a different .pem file. (Usually, the content is the same for the two certificates.)
        • Encryption Certificate: Upload the file that you created from the <KeyDescriptor use="encryption"> key.
        • Signature Certificate: Upload the file that you created from the <KeyDescriptor use="signing"> key.
      12. On Okta, upload both certificates in Encryption Certificate and Signature Certificate.
      13. On Enable Single Logout, enable Allow application to initiate Single Logout.
      14. Get the Single Logout URL from the metadata file. It is inside the XML element SingleLogoutService. For CCC, it looks like this: https://sso.cloudstoragecdn.com/logout
      15. The SP Issuer should be the Audience URL.

      16. Scroll down to the Attribute Statements section and add the attributes that are specified in the metadata file.

      17. Scroll down to the Group Attribute Statements and add the groups attribute. Choose Matches regex and add this string: 
        (Control Account|Governance( Plus)?|Channel Account) (Admin|Staff( \(Lite\))?|Viewer)|Read Only|Download Only|Full Access( Limited)?|Administrator|Root
      18. Click Next.
      19. On App type, choose whichever option you like.
      20. Click Finish.
      21. At this point, your SAML Application is configured in Okta. Navigate to the Sign On tab and click View SAML setup instructions.
        • Copy the Identity Provider Single Sign-On URL and paste it as the Sign In URL in WACM/CCC.
        • Copy the Identity Provider Single Logout URL and paste it as the Sign Out URL in WACM/CCC.
      22. Download the X.509 Certificate and upload it on WACM/CCC.
      23. On WACM/CCC, click Save Connection.
        Your connection is created successfully!

      Creating New SSO Users for WACM/CCC

      1. On Okta, click Directory > Groups.
      2. Click the Add group button.
      3. Enter the group name and save it. Group names should match the user/member roles in WACM/CCC. The image below shows CCC member roles and WACM Control Account roles. Role names are different if you are using a Governance or Channel account. You can view all available roles in your WACM Account under My Profile > Account > SSO.

        Note: If your IdP does not support spaces in the group names, you may use hyphenated names in place of the spaces.

      4. After adding all the groups, click Directory > People.
      5. Click Add Person.
      6. Enter the person's first name, last name, and username. Choose the Group/Role. Set the password. Then, click Save.
      7. Go to the Application and assign the groups/users to the application.
      8. Open a new session in WACM/CCC and try to sign in with that SSO user/member.

      SAML Configuration Example

      Login URL:
[Login URL here]

Logout URL:
[Logout URL here]

Cert file:
[Cert file here]


      What's Next
      Copyright © 2024 by Wasabi Technologies LLC
      75 Arlington Street, Suite 810, Boston, MA 02116 USA
      All Rights Reserved
      Visit us at https://wasabi.com.
      WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

      Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.