SSO for Wasabi Console Access Using SAML2 Integration With Okta

Prev Next

Wasabi supports Single Sign On (SSO) functionality for Wasabi accounts using the Okta IdP (Identity Provider) system based on SAML2 (Security Assertion Markup Language).

This article provides the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Okta SSO service.

To configure Wasabi SSO, you need to have a paid Wasabi account and log in as the Root Wasabi email address.

Adding the Wasabi Account to Okta

  1. Create a normal or company account on okta.com. You need to be an Administrator of your Okta account.  

    Screen_Shot_2022-10-26_at_10.55.30_AM.png

  2. Once you are logged in to your Okta account, click Admin in the top right corner.

  3. Go to Applications and click Create App Integration.  

  4. Select the SAML 2.0 option. Click Next.

    Screen_Shot_2022-10-26_at_11.01.28_AM.png

  5. In the App name field, enter a name for the SAML application (WasabiSSO is used in the example below). Click Next.

    Screen_Shot_2022-10-26_at_11.02.13_AM.png

  6. Copy and paste the following to the corresponding entries:

    • Single sign-on URL: https://sso.wasabisys.com/login/callback

    • Audience URL (SP Entity ID): https://sso.wasabisys.com/saml

    • Group Attribute Statements (Name): groups

    • Group Attribute Statements (Filter - Starts with): The Okta group that you want to give access to the Wasabi Console. You will create a group in a later step using "WasabiAdmin" as an example.

  7. When all the entries are filled, click Next.

  8. In response to the customer or partner question, select I'm a software vendor. I'd like to integrate my app with Okta.

    DO NOT submit the app for review. Wasabi does not need multiple customers submitting apps for review to Okta.

  9. Click Finish.

  10. Go to the Sign On tab under the SAML Application you just created.

    Note the Sign in URL and Download the Signing Certificate. You will need those details to place in the Wasabi Console.

    You will need to be the Wasabi Root user to configure Wasabi SSO.

  11. Click Directory in the left panel and select Groups.

    In this example, we created a group called "WasabiAdmin" (entered in the Group Attribute Statements (Filter - Starts with)).

    If you have an existing group that you want to give access to the Wasabi Console, you can skip this step. If you are using an existing group, be sure to enter your existing group name in Group Attribute Statements (Filter - Starts with).

    Screen_Shot_2022-10-26_at_11.28.57_AM.png

  12. After you create the group, ensure that you added the users/groups that you want to be able to access the Wasabi Console through Okta SSO.

    Screen

  13. After you add the users/groups to the Okta group, go back to Applications. Assign the application you created in Step 5.

    In the Assign drop-down, click Assign to Groups.

  14. Log in as the Root email user on the Wasabi Console

  15. Click Security in the Console navigation bar.

  16. Click the SSO (Single Sign On) tab. You will not see this tab if you have a Wasabi trial account. This feature is available only for paid accounts.

    • Select the Configuration connection type as SAML.

    • Paste the Sign In URL from Step 8.

    • Upload the X509 Signing Certificate from Step 8.

    • Optionally, enter a Sign Out URL, which is located in the SAML setting on Okta.

  17. You need to create a Wasabi role for SSO roles to work in the Console. Roles must be assigned to users within your organization's Identity Provider, and must be returned to Wasabi in SSO claims. Without this, Wasabi will be unable to match a user with a role.

    Click Create Role in the SSO tab in the Security section.

    Do not create the role through the Roles feature (in the Console navigation bar). SSO roles must be created through the SSO tab in Security.

  18. In the Create Role window, enter the Okta group name you created in Step 6 OR enter your existing group (entered in Step 9).

    Screen

  19. Assign a Policy for this role in order to give the user specific access. You can assign multiple policies for the user role. Review Policies in Wasabi Hot Cloud Storage for a description of the default policies available in the Wasabi Console. Refer to Creating and Delecting a Policy to create your own IAM policies.

    Click Create Role once finished.

    Screen

    This example uses the AdministratorAccess policy. You may assign any Wasabi-managed or user-managed policy based on your requirements.

    You should see the Wasabi role you have created in the SSO tab in Security. For example:

  20. Test the Wasabi SSO by going to https://console.wasabisys.com

    Click SIGN IN WITH SSO.

  21. Enter the Wasabi Root user email address. Click Continue.

    Screen

  22. This should redirect you to the Okta login page of your IdP. Enter your username and password to go through your company's Okta login. Click Next.

    Screen

  23. Once you have successfully logged in with your company's Okta username and password, you will be redirected back to the Wasabi Console.

    Screen

  24. Your view of the Wasabi Console may look different due to the IAM policy set under the SSO role you created.

    For any issues or questions, contact support@wasabi.com