---
title: "SSO Using OpenID Integration With Okta"
slug: "how-do-i-use-sso-for-wasabi-console-access-using-openid-integration-with-okta"
updated: 2026-01-07T22:54:19Z
published: 2026-01-07T22:54:19Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO Using OpenID Integration With Okta

Wasabi offers Single Sign-On (SSO) functionality for Wasabi accounts using the [Okta IdP](https://www.okta.com/?q=m) identity provider, based on OpenID Connect integration.

This article provides configuration instructions for both the IdP administrator and the SSO user to properly configure and complete a Wasabi Console login using the organization's Okta SSO service.

## Configuring the OIDC App in Okta (IdP Side)

1. Log in to your [Okta account](https://login.okta.com) (https://login.okta.com/) as Administrator.
2. Navigate to the Directory tab on the left and select **Groups.**Click **Add group**. In this example, we create a group called "WasabiAdmin." If you already have a group you wish to use for the Wasabi console, skip this step. Note the group name as it will be used in future steps.
3. Click **Save**.

![Screen](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/16152368713243.png)

Be sure to add the necessary users for access to the Wasabi Console in the new group just created.
4. Navigate to the Applications tab and click **Applications.**
5. Click **Create App Integration**. The Create a New App Integration page is displayed.

![Screen_Shot_2022-10-26_at_10.59.42_AM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/16152385528603.png)
6. In the Sign-in method section, click **OIDC - OpenID Connect**. In the Application type section, click **Web Application**. Click **Next**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-HZ3ZMT2Z.png)
7. On the New Web App Integration page, enter a name for the application integration, such as “OpenID-WasabiSSO.”
8. In the Grant type section, check **Refresh Token** and **Implicit (hybrid).**
9. In the Sign-in redirect URIs section, enter: https://sso.wasabisys.com/login/callback.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-MC3X987S.png)
10. Scroll down to the Selected group(s) section and click “WasabiAdmin,” previously created in Step 2. Click **Save**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-FSCPY721.png)
11. Create the claim for the Authorization server. Navigate to Security, and then****select the HealthInsight****tab to display the API section.
12. In the Add Authorization Server section under Name, click **default**to configure a group claim as part of the user info, post-authentication. The name used must match the role name used in the Wasabi Console.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-52UCO23M.png)
13. In the default dialog, select **Claims** and then click **Add Claim**. The Add Claim dialog is displayed.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-OC7BA3RF.png)
14. Enter the information as shown below.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-UB89EG7Q.png)
15. Click **Create**. The new groups claim is created, as shown below.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-VUQ5T7AB.png)
16. In the default dialog, click **Settings**, then copy the **Issuer URL** to use in the Wasabi Console. In the example below, the URL is https:///oauth2/default**.**You must append /.well-known/openid-configuration to the****Issuer****URL, for example**:**https:///oauth2/default/.well-known/openid-configuration.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-UGCR1WQY.png)
17. You will need the Client ID. To get the Client ID, navigate back to Applications, click **Applications**, and copy the **Client ID**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-X7W53JOJ.png)

## Configuring OIDC Settings in Wasabi Console (SP / Client Side)

1. Sign in to the [Wasabi Console](https://console.wasabisys.com/login) (https://console.wasabisys.com/login) using a Root account email.
2. Click **Settings** in the left menu and select **SSO (Single Sign On)**.
3. In the Select Configuration drop-down, select **OPEN ID**.
4. Paste the **Issuer URL** (from the previous section, Step 16) into the Open ID Connect Connection section, in the General Discover Endpoint box, for example, https:///oauth2/default/well-known/openid-configuration.
5. Paste the **Client ID** (copied from the previous section, Step 17) into the Client ID box.

> If you do not see the SSO (Single Sign On)****feature, you are using a Wasabi trial account. This feature requires a paid account.
6. Click **Save Connection**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-I3X4030K.png)

> A Wasabi role is required for SSO roles in the Wasabi Console. Roles must be assigned to users within your organization's Identity Provider and be returned to Wasabi in SSO claims. Without this, you cannot match a user with a role. Do not create a role through the Role tab on the left. SSO roles must be created in the SSO (Single Sign On) section of Settings.
7. Click **Roles** in the left menu and then click **Create Role.** The Create Role dialog is displayed.
8. In the Name box, enter the Okta group name you created earlier, for example: “WasabiAdmin.”

For the Wasabi role name, use the same name as the Okta Group name previously created, or use the same group name if you are using an existing group.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-ORKO4N9G.png)
9. Click **Next**.
10. Assign one or more policies to this role to enable user-specific access. When finished, click **Create Role**. For more information on the default policies available in the Wasabi Console, see [Policies in Wasabi Hot Cloud Storage](https://docs.wasabi.com/docs/policies-1) or create your own IAM policies through the **Policies** tab in the Wasabi Console.

The following example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-ROA8DIWH.png)

You should see the Wasabi Role you created in the SSO tab in Settings.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-64M958P2.png)

## Testing the Integration

1. Sign in to the [Wasabi Console](https://console.wasabisys.com) (https://console.wasabisys.com) to test the SSO configuration.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-WHQAMBDM.png)
2. When prompted, enter your Wasabi Root user email address. Click **Continue**.

![Screen](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/16152385564827.png)
3. You will be redirected to your IdP’s Okta login page, where you will enter your IdP username/password, then click **Next**.

![Screen](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/16152385568667.png)

Once you have successfully logged in with your company's Okta username/password, you will then be redirected back to the Wasabi Console.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-6IZSLZ0V.png)

Your view of the Wasabi console may look different due to the IAM policy set under the SSO role you created.