How do I use SSO for Wasabi Console access using SAML2 integration with Okta?

Wasabi now supports SSO (Single Sign On) functionality for Wasabi accounts using the Okta IdP (Identity provider) system based on SAML2 (Security Assertion Markup Language). 

This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Okta SSO service.  This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.  

NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

OKTA Account Creation - Adding the Wasabi account to Okta

1. Begin by creating an account on okta.com. You can create a normal account or a company account. You will need to be an Admin of your Okta account.

2. Once you are logged in to your Okta account. Click on "Admin" in the top right corner.

3. Once you are logged in as an Admin, you will go to Applications --> Applications --> Create App Integration

4. Select the "SAML 2.0" radio button and hit "Next"

5. Name the SAML application. Click "Next" once named

6. Copy and paste the following to the corresponding entries -

   • Single Sign On URL - https://sso.wasabisys.com/login/callback

   • Audience URL (SP Entity ID) - https://sso.wasabisys.com/saml

   • Group Attribute Statements (Name) - "groups"

   • Group Attribute Statements (Filter - Starts with) -  

   NOTE: This will be the Okta group that you want to give access to the Wasabi console. We will be creating a group later in step 14 ("WasabiAdmin" is used in this example.)

   

   Once all the entries are filled. Hit "Next" 

7. Click on "I'm a software vendor. I'd like to integrate my app with Okta" 

   Please DO NOT submit the app for review. We do not need multiple customers submitting apps for review to Okta. 

   Click Finish

8. Once finished. Go to the Sign On tab under the SAML Application you just created. 

   Please note the Sign in URL and Download the Signing Certificate.  You will need those details to place in the Wasabi Web Console

   Note: You will need to be the Wasabi root user in order to configure Wasabi SSO.

9. Now click "Directory" on the left and select "Groups". 

   In this example, we created a group called "WasabiAdmin" (Should be the same name as Step 6 under Group Attribute Statements (Filter - Starts with)) 

   (Note: if you have a group created already that you wish to give access to the Wasabi console then you can skip this step. If you are using an existing group, please be sure to enter your existing group name in Step 6 - Group Attribute Statements (Filter - Starts with))

10. Once you have created the group. Please make sure that you added the users/groups you wish to be able to access the Wasabi Console through Okta SSO.

11. Once you added the users/groups to the Okta group. Go back to the Applications --> Application on the left-hand side. Assign the Application you have created in Step 5. 

    Go to Assignments --> Assign --> In the drop-down click Assign to Groups 

12. Now log in as the root email user on the Wasabi Web Console

    Click on Settings on the left-hand side and click on SSO (Single Sign On) Tab 

    • Click on "Select Configuration" from "No SSO" to "SAML"

    • Paste the Sign in URL from Step 8. 

    • Upload the X509 Signing Certificate from Step 8

    • Sign Out URL (Optional) - the URL is located SAML setting on Okta. 

Note: If you do not see an SSO (Single Sign On) tab then you are on a Wasabi Trial. This feature is only on paid accounts. 

13. A Wasabi role will need to be created in order for SSO roles to work in the Console. They must be assigned to users within your organization's Identity Provider, and be returned to Wasabi in SSO claims. Without this, we will be unable to match a user with a role.

    Click on Create Role in the SSO tab in Settings. 

    Note: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings. 

14. A Create Role window will appear. Please enter the Okta Group Name you created in Step 9. 

    For the Wasabi role name use the same name as the Okta Group name created in Step 9 OR Use your same group name if you are using your existing group in that step

15. Now we will assign a Policy for this Role in order to give the user specific access. Hit "Create Role" once finished. 

    Note: you can give the user multiple policies if you like for this role.

    Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console. 

Note:  This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

You should now see the Wasabi Role you have created in the SSO tab in Settings. 

16. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

    Click on "SIGN IN WITH SSO"

17. Enter the Wasabi Root user email address. 

18. This should re-direct you to the Okta login page of your IdP. Enter your username/password to go through your company's Okta login. 

19. Once you have successfully logged in with your company's Okta username/password. You will be then redirected back to the Wasabi Console. 

Note: your view of the Wasabi console may look different due to the IAM policy set under the SSO role you have created. 

For any issues or questions. Please contact via email to support@wasabi.com