---
title: "SSO for WACM and CCC in Okta IdP"
slug: "configuring-sso-for-wacmccc-in-okta-idp"
updated: 2026-01-30T18:22:31Z
published: 2026-01-30T18:22:31Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO for WACM and CCC in Okta IdP

## OpenID Connect

1. Log in to your Okta account.
2. Create a new Web Application with the following considerations:
  - Sign-in URL is the Callback URL
  - Enable the Implicit token (with both checkboxes) and Authorization Code
  - Discovery URL = tenant URL + .well-known/openid-configuration
  - Client ID and Client Secret we get from **Application**>**General** in Okta
  - Add the **Groups claim filter** with filter **matches regex** and value:

`(Control Account|Governance( Plus)?|Channel Account) (Admin|Staff( \(Lite\))?|Viewer)|Read Only|Download Only|Full Access( Limited)?|Administrator|Root`
3. **Directory**>**People** is where you can create a new user.
4. **Directory**>**Groups** is where you need to add the groups that are linked to the user roles.
5. Go to the Application and assign the groups/users to the application.
6. Finish configuring the SSO in WACM/CCC.
7. Log in as an SSO user. To include your organization's name in the login URL, configure SSO settings where "orgname" is your organization name, for example:
  - WACM: https://wacm.wasabisys.com/en/wasabi/auth/login?organization=orgname
  - CCC: yourconsole.poweredbywasabi.com/login?organization=orgname

### OIDC Configuration Example

```shell
Discovery Endpoint:
        [Discovery Endpoint here]

        Client ID:
        [Client ID here]

        Client Secret:
        [Client Secret here]
```

## SAML

1. Log in to your Okta account.
2. On the left side menu, click **Applications**.
3. Click the **Create App Integration** button.
4. Choose **SAML 2.0**, and click **Next**.
5. Enter the **App name** and click **Next**.
6. Single sign-on URL is the Callback URL you can get from WACM/CCC SSO configuration settings. To include your organization's name in the login URL, configure SSO settings where "orgname" is your organization name, for example:
  - WACM: https://wacm.wasabisys.com/en/wasabi/auth/login?organization=orgname
  - CCC: yourconsole.poweredbywasabi.com/login?organization=orgname
7. Audience URI (SP Entity ID) is the Audience URL you can get from WACM/CCC SSO configuration settings.
8. Click **Show Advanced Settings**.
9. On **Assertion Encryption**, choose **Encrypted**.
10. On WACM/CCC, download the Metadata.
11. Open the file and save the X509Certificate to a different .pem file. (Usually, the content is the same for the two certificates.)
  - Encryption Certificate—Upload the file that you created from the <KeyDescriptor use="encryption"> key.
  - Signature Certificate—Upload the file that you created from the <KeyDescriptor use="signing"> key.
12. On Okta, upload both certificates in Encryption Certificate and Signature Certificate.
13. On Enable Single Logout, enable **Allow application to initiate Single Logout**.
14. Get the Single Logout URL from the metadata file. It is inside the XML element SingleLogoutService. For CCC, it looks like this: https://sso.cloudstoragecdn.com/logout
15. The SP Issuer should be the Audience URL.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1709307139148.png)

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1709306777487.png)
16. Scroll down to the Attribute Statements section and add the attributes that are specified in the metadata file.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1709240242475.png)
17. Scroll down to the Group Attribute Statements and add the groups attribute. Choose **Matches regex**and add this string:

`(Control Account|Governance( Plus)?|Channel Account) (Admin|Staff( \(Lite\))?|Viewer)|Read Only|Download Only|Full Access( Limited)?|Administrator|Root`
18. Click **Next**.
19. On App type, choose whichever option you like.
20. Click **Finish**.
21. At this point, your SAML Application is configured in Okta. Navigate to the Sign On tab and click **View SAML setup instructions**.
  - Copy the Identity Provider Single Sign-On URL and paste it as the **Sign In URL** in WACM/CCC.
  - Copy the Identity Provider Single Logout URL and paste it as the **Sign Out URL** in WACM/CCC.
22. Download the X.509 Certificate and upload it on WACM/CCC.
23. On WACM/CCC, click **Save Connection**. Your connection is created successfully!

## Creating New SSO Users for WACM/CCC

1. On Okta, click **Directory**> **Groups**.
2. Click the **Add group**button.
3. Enter the group name and save it. Group names should match the user/member roles in WACM/CCC. The image below shows CCC member roles and WACM Control Account roles. Role names are different if you are using a Governance or Channel account. You can view all available roles in your WACM Account under **My Profile**>**Account**>**SSO**.

**Note:** If your IdP does not support spaces in the group names, you may use hyphenated names in place of the spaces.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1709240719963.png)
4. After adding all the groups, click **Directory**> **People**.
5. Click **Add Person**.
6. Enter the person's first name, last name, and username. Choose the Group/Role. Set the password. Then, click **Save**.
7. Go to the Application and assign the groups/users to the application.
8. Open a new session in WACM/CCC and try to sign in with that SSO user/member.

### SAML Configuration Example

```shell
Login URL:
        [Login URL here]

        Logout URL:
        [Logout URL here]

        Cert file:
        [Cert file here]
```