SSO for Wasabi Console Access Using OpenID Integration With Okta

  • Updated on Dec 10, 2025
  • Published on Dec 18, 2023
  • 4 minute(s) read
Prev Next

Wasabi offers Single Sign-On (SSO) functionality for Wasabi accounts using the Okta IdP identity provider, based on OpenID Connect integration.

This article provides configuration instructions for both the IdP administrator and the SSO user to properly configure and complete a Wasabi Console login using the organization's Okta SSO service. It also includes details beyond those provided in the Wasabi Management Console Guide for this feature.

To configure Wasabi SSO, you must have a paid account and log in as the Root Wasabi email address. For more information, contact support@wasabi.com.

Configuring the OIDC App in Okta (IdP Side)

  1. Log in to your Okta account at okta.com as Administrator.

  2. Navigate to the Directory tab on the left and select Groups. Click Add group. In this example, we create a group called "WasabiAdmin." If you already have a group you wish to use for the Wasabi console, skip this step. Please note the group name as it will be used in future steps.

  3. Click Save.

    Screen NOTE: Be sure to add the necessary users for access to the Wasabi Console in the new group just created. 

  4. Navigate to the Applications tab and click Applications.

  5. Click Create App Integration. The Create a New App Integration page is displayed.

    Screen_Shot_2022-10-26_at_10.59.42_AM.png

  6. In the Sign-in method section, click OIDC - OpenID Connect. In the Application type section, click Web Application. Click Next.

  7. On the New Web App Integration page, enter a name for the application integration, such as “OpenID-WasabiSSO.”

  8. In the Grant type section, check Refresh Token and Implicit (hybrid).

  9. In the Sign-in redirect URIs section, enter: https://sso.wasabisys.com/login/callback.

  10. Scroll down to the Selected group(s) section and click “WasabiAdmin,” previously created in Step 2. Click Save.

  11. Now, create the claim for the Authorization server. Navigate to Security, and then select the HealthInsight tab to display the API section.

  12. In the Add Authorization Server section, under Name, click default to configure a group claim as part of the user info, post-authentication. The name used must match the role name used in the Wasabi Console.

  13. In the default dialog, select Claims and then click Add Claim. The Add Claim dialog is displayed.

  14. Enter the information as shown below.

  15. Click Create. The new groups claim is created, as shown below.

  16. In the default dialog, click Settings, then copy the Issuer URL to use in the Wasabi Console. In the example below, the URL is https:///oauth2/default. You must append /.well-known/openid-configuration to the Issuer URL, for example: https:///oauth2/default/.well-known/openid-configuration.

  17. Now you will need the Client ID. To get the Client ID, navigate back to Applications, click Applications, and copy the Client ID.

Configuring OIDC Settings in Wasabi Console (SP / Client Side)

  1. Sign in to the Wasabi Console at https://console.wasabisys.com/login using a Root account email.

  2. Click Settings in the left menu and select SSO (Single Sign On).

  3. In the Select Configuration drop-down, choose OPEN ID.

  4. Paste the Issuer URL (from the previous section, Step 16) into the Open ID Connect Connection section, in the General Discover Endpoint box, for example, https:///oauth2/default/well-known/openid-configuration.

  5. Paste the Client ID (copied from the previous section, Step 17) into the Client ID box.
    NOTE: If you do not see the SSO (Single Sign On) feature, then you are using a Wasabi trial account. This feature requires a paid account.

  6. Click Save Connection.

    NOTE: A Wasabi role is required for SSO roles in the Wasabi Console. Roles must be assigned to users within your organization's Identity Provider and be returned to Wasabi in SSO claims. Without this, you cannot match a user with a role. Do not create a role through the Role tab on the left. SSO roles must be created in the SSO (Single Sign On) section of Settings.

  7. Click Roles in the left menu and then click Create Role. The Create Role dialog is displayed.

  8. In the Name box, enter the Okta group name you created earlier, for example: “WasabiAdmin.”
    NOTE: For the Wasabi role name, use the same name as the Okta Group name previously created, or use the same group name if you are using an existing group.

  9. Click Next.

  10. Now, assign one or more policies to this role to enable user-specific access. When finished, click Create Role. For more information on the default policies available in the Wasabi Console, see What are the default policies available in the Wasabi Console? or create your own IAM policies through the Policies tab in the Wasabi Console.
    NOTE: The following example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements. NOTE: You should not see the Wasabi Role you created in the SSO tab in Settings.

Testing the Integration

  1. Sign in to the Wasabi Console at https://console.wasabisys.com to test the SO configuration.

  2. When prompted, enter your Wasabi Root user email address. Click Continue.

    Screen

  3. You will be redirected to your IdP’s Okta login page, where you will enter your IdP username/password, then click Next.

    Screen

    Once you have successfully logged in with your company's Okta username/password, you will then be redirected back to the Wasabi Console.

    NOTE: Your view of the Wasabi console may look different due to the IAM policy set under the SSO role you created.
    For issues or questions, contact support@wasabi.com.