---
title: "SSO Using OpenID Integration With OneLogin"
slug: "how-do-i-use-sso-for-wasabi-console-access-using-openid-integration-with-onelogin"
updated: 2026-01-07T22:55:28Z
published: 2026-01-07T22:55:28Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO Using OpenID Integration With OneLogin

Wasabi offers Single Sign-On (SSO) functionality for Wasabi accounts using the [OneLogin](https://www.onelogin.com/) identity provider, based on OpenID Connect integration.

This article provides configuration instructions for both the IdP administrator and the SSO user to properly configure and complete a Wasabi Console login using the organization’s OneLogin SSO service.

## Configuring the OIDC App in OneLogin (IdP Side)

To connect your OpenID Connect-enabled app to OneLogin:

- Create an OpenID Connect app for the Wasabi app catalog.
- Create users and groups with access to OneLogin.

### Creating the OIDC App for the Wasabi App Catalog

1. Log in to your [OneLogin](https://www.onelogin.com/) (https://www.onelogin.com/) account as Administrator.
2. On the OneLogin menu, select **Applications** and click **Applications**.

![Screen_Shot_2020-09-13_at_8.37.23_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068807351.png)
3. Click **Add App**. The Find Applications page is displayed.

![Screen_Shot_2020-09-13_at_8.37.53_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068587572.png)
4. Search “OpenId Connect” or “oidc”, then select **OpenId Connect (OIDC)**. The Configuration page is displayed.

![Screen_Shot_2020-09-13_at_8.42.03_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068587752.png)
5. In the Portal section, enter a display name, such as Wasabi, and click **Save**.

![Screen_Shot_2020-09-13_at_8.42.36_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068807711.png)

Once the application is created, you will see all the configurable settings on the Info page.

![Screen_Shot_2020-09-13_at_8.46.51_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068807811.png)
6. Select**Configuration**. In the Application details section, enter the **Login URI**and **Redirect URI** that your app uses as the callback endpoint. This is where OneLogin sends the authentication response and ID token. Paste the URIs shown below into the appropriate box:
  - Login URI—https://auth.wasabisys.com
  - Redirect URI—https://auth.wasabisys.com/v1/oidc/callback
7. Click **Save**.

![Screen_Shot_2020-09-13_at_8.52.22_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068807851.png)
8. Select **Parameters,**then click the **plus sign** to save the value.

![Screen_Shot_2020-09-13_at_8.55.59_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068807911.png)
9. Select **Rules** and click **Add Rules**. The New Mapping dialog is displayed. In the Name box, enter a name for the rule, such as “one-login-mapping.” In the Actions section, **with value that matches** box, enter “role-for-one-login.”

You will reuse the “role-for-one-login” role in the Wasabi Console for this integration.
10. Click **Save**.

![Screen_Shot_2020-09-13_at_9.01.43_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068588132.png)
11. Select **SSO**. Copy the **Client ID, Client Secret** values, and the **V2 Issuer URL** and save them at a secure location. You will need these three values later to configure SSO in the Wasabi Console.

The Client ID and Client Secret are unique for each application, so it is essential that you use your own values.

![Screen_Shot_2020-09-13_at_9.06.25_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068588372.png)
12. Once you have saved those three values, scroll down to the Assumed Sign-In section and check **Allow assumed users to sign into this app**.

![Screen_Shot_2020-09-13_at_9.16.35_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068808351.png)

### Creating Users and Groups

Depending on your use case, you will create users and groups and map them to OneLogin. Settings will depend on your organization's requirement(s).

1. On the OneLogin menu, click **Users** and select the **Groups** option.

![Screen_Shot_2020-09-13_at_9.25.34_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068588452.png)
2. In the Groups box, enter a name, such as “Wasabi-SSO-group.” Click **Save**.

![Screen_Shot_2020-09-13_at_10.19.42_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068588832.png)
3. Select the **Roles** option and click **New Role**.

![Screen_Shot_2020-09-13_at_10.30.24_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068809051.png)
4. Enter the previously used role name, such as “role-for-one-login.”
5. In the Select Apps to Add****section, check **Wasabi**. Click **Save**.

![Screen_Shot_2020-09-13_at_10.33.10_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068809071.png)
6. Select the **Users** option and click **New User**. The Users page is displayed.

![Screen_Shot_2020-09-13_at_9.36.12_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068808431.png)
7. Enter the new user’s information and set a password, then scroll down and add privileges based on your requirements for the OneLogin IdP.

![Screen_Shot_2020-09-13_at_9.40.24_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068808871.png)
8. On the Authentication page in the****Group box, select the previously created group for this user.

![Screen_Shot_2020-09-13_at_10.24.31_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068808971.png)
9. On the Applications page, check the **role-for-one-login** created earlier. Click **Save User**.

![Screen_Shot_2020-09-13_at_10.38.48_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068809131.png)
10. Select the **Mappings**option and click **New Mapping**.

![Screen_Shot_2020-09-13_at_10.45.23_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068589012.png)
11. Enter a name for this mapping, such as “one-login-wasabi-sso-mapping,” and then set Conditions and Actions. Click **Save**.

![Screen_Shot_2020-09-13_at_10.43.39_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068589032.png)

## Configuring OIDC Settings in Wasabi Console (SP / Client Side)

1. Sign in to the [Wasabi Console](https://console.wasabisys.com/login) (https://console.wasabisys.com/login) using a Root account email.
2. Navigate to your user profile and select **Settings**.

![Screen_Shot_2020-09-13_at_10.56.30_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068589052.png)
3. Scroll down to SSO (Single Sign-On) and click **Configure SSO**.

![Screen_Shot_2020-09-13_at_10.57.12_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068809311.png)
4. Click the "**+**" sign to initiate the provider configuration. The Add Auth Provider page is displayed.
5. Enter a provider name and then select **OpenID Connect (OAuth 2.0 protocol)** from the drop-down.
6. Enter the data from the previous section, Step 11, for Issuer, Client ID, and Client Secret.
7. In the Wasabi Role Prefix box, enter "role-for-one-login."
8. Click **Create**.

![mceclip0.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/17589976660123.png)

> When you save the configuration, it will be assigned a new ProviderId, which is a random string. You should copy and store the new ProviderId for later reuse.
9. Click **Back to Console**.

![mceclip0.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/17589985571995.png)
10. From the Wasabi Console menu, select **Roles**. Roles created will be used for SSO user permissions/policies.
11. Select **Create Role** and enter the policy as shown below. The example in this step uses the WasabiAdministratorAccess policy. You can attach any Wasabi-managed policy/user-managed policy based on your requirements.

The example uses the same role name, "role-for-one-login," for both the IdP mapping and this role.

![Screen_Shot_2020-09-13_at_11.13.45_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068809651.png)

The actual policy is:

```powershell
{
                    "Version": "2012-10-17",
                    "Statement": [
                    {
                    "Effect": "Allow",
                    "Principal": {
                    "Federated": "arn:aws:iam::100000032477:oidc-provider/rTzuWMAEx5SvCYMw"
                    },
                    "Action": "sts:AssumeRoleWithWebIdentity"
                    }
                    ]
                    }
```

> - Be sure to use your own Wasabi Console Account ID, where the example above specifies 100000032477, and replace “rTzuWMAEx5SvCYMw” with your ProviderId, from the section Creating an OIDC App for the Wasabi Catalog.
> - The role name configured in OneLogin must match the role name in the Wasabi Console.
12. The Wasabi Console is now configured. You can log in with your OneLogin IdP credentials, view the Wasabi application, and then SSO into the Wasabi Console.

![Screen_Shot_2020-09-13_at_11.33.57_PM.png](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/360068589912.png)

## Testing the Integration

1. Sign in to the [Wasabi Console](https://console.wasabisys.com) (https://console.wasabisys.com) to test the SSO configuration.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-WHQAMBDM.png)
2. When prompted, enter your Wasabi Root user email address. Click **Continue**.

![Screen](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/16152385564827.png)

You will be redirected to your IdP’s OneLogin login page, where you will enter your IdP username/password.