SSO for Wasabi Console Access Using SAML2 Integration With Okta

Wasabi supports Single Sign On (SSO) functionality for Wasabi accounts using the Okta IdP (Identity Provider) system based on SAML2 (Security Assertion Markup Language).

This article provides the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Okta SSO service.

Configuring SAML App in Okta (IdP Side)

1. Create an Okta account (https://okta.com) or log in to your existing Okta account as Administrator.

   

2. Once you are logged in to your Okta account, click Admin in the top right corner.

   

3. Go to Applications, select Applications, and click Create App Integration.

   

4. Select SAML 2.0 and click Next.

   

5. In the General Settings section, enter a name for the SAML application in the App name field, such as “WasabiSSO.” Click Next.

   

6. In the SAML Settings page, copy and paste the following information:

   • Single sign-on URL: https://sso.wasabisys.com/login/callback

   • Audience URL (SP Entity ID): https://sso.wasabisys.com/saml

   • Group Attribute Statements (Name): groups

   • Group Attribute Statements (Filter - Starts with): The Okta group with access to the Wasabi Console. You will create a group later, such as "WasabiAdmin."

   

7. When all the entries are made, click Next.

8. In response to the customer or partner question on the Feedback page, select I'm a software vendor…

   NOTE: DO NOT click Submit your app for review. Wasabi does not need multiple customers submitting apps for review to Okta.

   

9. Click Finish.

10. Click Sign On in the SAML Application you just created. Note the Sign on URL, then click Download for the Signing Certificate. You will need those details for the Wasabi Console.

    NOTE: You must be the Wasabi Root user to configure the Wasabi Console SSO.

    

11. Click Directory in the left menu and select Groups.

    In this example, we created a group called "WasabiAdmin" (entered in the Group Attribute Statements (Filter - Starts with)).

    If you have an existing group that you want to give access to the Wasabi Console, you can skip this step. If you are using an existing group, be sure to enter your existing group name in Group Attribute Statements (Filter - Starts with).

    

12. After you create the group, be sure to add the users/groups you want to access in the Wasabi Console through Okta SSO.

    

13. After you have added the users/groups to the Okta group, go back to Applications and choose the application you created earlier, such as “WasabiSSO.” Then, in the Assign drop-down, click Assign to Groups.

    

Configuring SAML Settings in Wasabi Console (SP / Client Side)

1. Sign in to the Wasabi Console at https://console.wasabisys.com/login using a Root account email.

2. Click Security in the Console navigation bar.

3. Click the SSO (Single Sign On) tab and enter the following information:

   • Select SAML for the configuration connection type.

   • Paste the URL from Step 8 in the Sign In URL.

   • Upload the X509 Signing Certificate from Step 8.

   • Optionally, enter a Sign Out URL, which is located in the SAML setting on Okta.

   NOTE: You will not see this tab if you have a Wasabi trial account. This feature is available only for paid accounts.

4. Create a Wasabi role for SSO roles to work in the Console. Click Create Role in the SSO tab in the Security section. Roles must be assigned to users within your organization's Identity Provider and returned to Wasabi in SSO claims. Without this, Wasabi will be unable to match a user with a role.

   NOTE: Do not create the role through the Roles feature (in the Console navigation bar). SSO roles must be created through the SSO tab in Security.

   

5. In the Create Role pane, enter the Okta group name you created in the previous section, Step 6, or enter your existing group.

   

6. Assign a Policy to this role to give the user specific access. You can assign multiple policies to the user role. Review Policies in Wasabi Hot Cloud Storage for a description of the default policies available in the Wasabi Console. Refer to Creating and Deleting a Policy to create your own IAM policies. Click Create Role when finished.

   

   This example uses the AdministratorAccess policy. You may assign any Wasabi-managed or user-managed policy based on your requirements.

   You should see the Wasabi role you have created in the SSO tab in Security. For example:

   

Testing the Integration

1. Sign in to the Wasabi Console at https://console.wasabisys.com to test the SO configuration.      

2. Enter the Wasabi Root user email address. Click Continue.

   

3. You will be redirected to your IdP’s Okta login page. Enter your company’s Okta username and password. Click Next.

   

   Once you have successfully logged in with your company's Okta username and password, you will be redirected back to the Wasabi Console.

   

   Your view of the Wasabi Console may differ depending on the IAM policy set for the SSO role you created.

   For any issues or questions, contact support@wasabi.com.