How do I use SSO for Wasabi Console access using OpenID integration with Okta?
    • 28 Aug 2024
    • 4 Minutes to read
    • PDF

    How do I use SSO for Wasabi Console access using OpenID integration with Okta?

    • PDF

    Article summary

    Wasabi supports SSO (Single Sign On) functionality for Wasabi accounts using the Okta IdP (Identity provider) system based on OpenID integration.  This document will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Okta SSO system.

    This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Okta SSO service. This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.  

    NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

    Okta Account Creation - Adding the Wasabi account to Okta

    1.  Log into your account on Okta as the Administrator.  (If you already have an Okta account, step 2 may not be necessary)

    2. Click Directory on the left and select Groups. Create a new group by clicking Add group

    In this example, we created a group called "WasabiAdmin" If you already have a group you wish to use for who will have access to the Wasabi console then you can skip this step. Please note the group name, we will need it in future steps. 

     

    Screen

    Make sure to add the necessary users you wish to have access to the Wasabi console into the new group you have created. 

    2. Once you are logged in as an Admin, you will go to Applications --> Applications --> Create App Integration

    Screen_Shot_2022-10-26_at_10.59.42_AM.png

     

    3. Select the OIDC - OpenID Connect and Web Application options and hit Next

    Screen

    4. Provide a new App Name. 

    Check the Refresh Token and Implicit (hybrid) Grant Type. 

    Add the Sign-in Redirect URI as https://sso.wasabisys.com/login/callback

    Screen

    Scroll down and enter the group name you created in Step 2 or the group you have created already in the Selected groups(s)

    Screen

     

    5a. We will now need to create the claim for the Authorization server. 

    Navigate to Security --> API

    In this example, we will use the default authorization server. We need to configure group claim so that it comes as part of the user info post-authentication. This will be used to match the Wasabi Role name. This is used only in OIDC. 

    Click on default authorization servers

    Screen

    5b. Click the Claims tab. Now Add Claim

    Screen

    5c. In the new claim input the following:

    - Name: groups

    - Include in token type: ID Token - Always

    - Value type: Groups

    - Filter: Starts with - (From Step 2) 

    Screen

    Hit Create 

    You should see the groups claim you have created. 

    Screen

    6. Now direct back to the Settings in default and copy the Issuer URL. We will need the URL to input into the Wasabi console.

    In this example, it is the https:///oauth2/default

    You will need to append the /.well-known/openid-configuration to the Issuer URL.

    Example: https:///oauth2/default/.well-known/openid-configuration

    Screen

    7. Now we will need to get the Client ID

    Head back to Applications --> Applications --> Select the new app  (created in step 3)

    Copy the Client ID 

    Screen 8. Now log in as the root email user on the Wasabi Web Console

    Click on Settings on the left-hand side and click on SSO (Single Sign On) Tab 

    - Click on "Select Configuration" from "No SSO" to "OPENID"

    - Discovery Endpoint - Paste the output of Step 6 (Example https:///oauth2/default/.well-known/openid-configuration )

    - Client ID - From Step 7

    Note: If you do not see an SSO (Single Sign On) tab then you are on a Wasabi Trial. This feature is only on paid accounts. 

    Screen

    9. A Wasabi role will need to be created in order for SSO roles to work in the Console. They must be assigned to users within your organization's Identity Provider, and be returned to Wasabi in SSO claims. Without this, we will be unable to match a user with a role.

    Click on Create Role in the SSO tab in Settings. 

    Note: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings.

    Screen10. A Create Role window will appear. Please enter the Okta Group Name you created in Step 2. 

    For the Wasabi role name use the same name as the Okta Group name created in Step 2 OR Use your same group name if you are using your existing group in that step

    Screen

    11. Now we will assign a Policy for this Role in order to give the user specific access. Hit "Create Role" once finished. 

    Note: you can give the user multiple policies if you like for this role.

    Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console. 

    Screen

    Note:  This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

    You should not see the Wasabi Role you have created in the SSO tab in Settings. 

    Screen

    12. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

    Click on "SIGN IN WITH SSO"

    Screen

    13. Enter the Wasabi Root user email address. 

    Screen

    14. This should re-direct you to the Okta login page of your IdP. Enter your username/password to go through your company's Okta login. 

    Screen

    15. Once you have successfully logged in with your company's Okta username/password. You will be then redirected back to the Wasabi Console. 

    Screen

    Note: your view of the Wasabi console may look different due to the IAM policy set under the SSO role you have created. 

    For any issues or questions. Please contact via email to support@wasabi.com


    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence