SSO for Wasabi Console Access Using OpenID Integration With Pocket ID

  • Published on Dec 22, 2025
  • 3 minute(s) read
Prev Next

Wasabi offers Single Sign-On (SSO) for Wasabi accounts using the Pocket ID (Identity Provider) system, based on OpenID Connect integration.

This article provides configuration instructions for both the IdP administrator and the SSO user to properly configure and complete a Wasabi Console login using your Pocket ID SSO service. It includes additional details beyond those provided in the Wasabi Management Console Guide for this feature.

Prerequisites

  • PocketID Admin account

  • Wasabi Console account

  • Group/Role name (both IdP side and SP/Client side must match).

Configuring the OIDC App in Pocket ID (IdP Side)

  1. Log in to your PocketI D account as Administrator. The Settings page is displayed.

  2. Navigate to Administration in the left menu and choose OIDC Clients.

  3. Click Add OIDC Client. The Create OIDC Client page is displayed.

  4. Create a client, such as “Wasabi-SSO” and provide the following information as required:

    • Client ID /Client Secret — Autogenerated identifiers used in the Wasabi Console to authenticate to.

    • Authorization URL / Token URL / Userinfo URL / Logout URL / OIDC Discovery URL / Certificate (JWKS) URL — Pocket ID endpoints. If you have the Discovery URL, most apps (including Wasabi) can learn the rest automatically.

    • Client Launch URL — Where Pocket ID should send users if they “Launch” the app from My Apps. Use https://console.wasabisys.com.

    • Callback URLs — The redirect URIs. Exact URLs Pocket ID redirects back to the login. Include the Wasabi SSO callback https://sso.wasabisys.com/login/callback. Both the IdP side and the SP/Client side must match.

    • Logout Callback URL — An optional endpoint used after logout, for example, the Wasabi SSO page.

    • Public Client — Disable. Wasabi Console uses a confidential client.

    • PKCE — Disable. For this integration, Wasabi will not send “code_challenge.” If PKCE is enabled, the login will fail without the “code_challenge.”

    • Requires Re-Authentication (optional) — Disable. When set, users must reauthorize each time.

    • Federated Client Credentials (optional) — Not required.

    • Allowed User Group (optional) — Restrict who can use this Wasabi Console client, based on Pocket ID groups.

    • OIDC Data Preview — Click Show to preview the exact OIDC claims and confirm that “group domain” is available for users.

  5. Click Save.

  6. In Administration, choose Users.

  7. Verify that your Wasabi Console users are enabled.

  8. In Administration, choose User Groups to configure your group claim.

  9. Enter the following information about the group claim:

    • Name — Enter the claim key groups, for example, which is expected on the Wasabi Console side.

    • Users — Assign users to this group.

    NOTE: The group value must match the role value at the Wasabi Console. The group name for Pocket ID must match the role name used for the Wasabi Console.

  10. Click Save.

Configuring OIDC Settings in Wasabi Console (SP / Client Side)

  1. Sign in to the Wasabi Console (https://console.wasabisys.com/login) using a Root account email.  

  2. Select Security in the left menu, then choose SSO (Single Sign-On).

  3. Enter the following information:

    • SSO Connection — Select the provider type Open ID.

      Discovery Endpoint — Paste the OIDC URL for Pocket ID  …/.well-known/openid-configuration

    • Client ID and Client Secret — Paste the values from your Pocket ID OIDC client.

    • Channel (flow type) — Enable Back Channel (server-side authorization code).

    • Callback URL — must show https://sso.wasabisys.com/login/callback. This must be the same URL listed in the Pocket ID callback URLs.

  4. Click Save.

  5. Click Create Role and add a role that matches your Pocket ID group name, such as “groups.”

  6. Click Save.

Testing the Integration

  1. Sign in to the Wasabi Console (https://console.wasabisys.com) to test the SSO configuration.

    Screen

  2. Click SIGN IN WITH SSO. There are two methods you can use:

    • An organization’s name

    • Your Wasabi Root account email address

  3. If you select “Sign in With an Organization Name,” enter the name previously created. You will be redirected to the Pocket ID login page, where you will enter your login information.

  4. In Pocket ID, navigate to My Apps, select the Wasabi-SSO tile, and then click Launch.

    You will be redirected back to the Wasabi Console, where you can perform functions based on the user’s assigned role.                              

    For more information, contact Wasabi Support.