In June 2023, Wasabi introduced an updated SSO feature that replaced our previous solution (now referenced as SSO Legacy). We recommend that any users currently using SSO Legacy migrate to Wasabi's current SSO solution, as described in this article.
This article is intended for administrators who manage authentication and identity provider (IdP) integrations. Wasabi SSO supports Okta, Azure AD, Ping, Auth0, and any Security Assertion Markup Language (SAML) 2.0 / OIDC-compliant IdP. (Note that Wasabi supports MFA, which should be enforced at the IdP level.)
If you are not familiar with SSO or want to learn more about the Wasabi SSO feature, visit Single Sign On (SSO).
This article provides information to:
- Understand the differences between SSO Legacy and SSO
- Prepare your environment for migration
- Complete the migration with minimal disruption
- Validate and troubleshoot your setup
Understanding Why You Should Migrate
- Standards Compliance: Improved compatibility with SAML 2.0 and OpenID Connect (OIDC)
- Improved Security: Better certificate management, signed/encrypted assertions, and token handling
- Simplified Administration: Streamlined configuration and better logging for diagnostics
Wasabi highly recommends transitioning away from Legacy SSO to the new Single Sign-On to ensure continued compatibility and enhanced security.
Comparison of SSO and SSO Legacy
| Feature | SSO | SSO Legacy |
|---|---|---|
| Protocols | SAML 2.0 + OIDC | SAML only |
| IdP-Initiated Logins | Full support | Partial support |
| Logout Support | Single Logout (SLO) | Limited |
| Attribute Mapping | Custom claims and group mapping | Minimal |
| Certificate Management | Automated renewal support | Manual only |
| Logging and Diagnostics | Detailed logs and error codes | Basic |
Preparing to Migrate: Reviewing a Pre-Migration Checklist
Before you begin:
- Inventory your current SSO Legacy configuration.
- Export and back up your IdP settings and metadata.
- Confirm your IdP supports SAML 2.0 or OIDC.
- Prepare a test user for validation.
- Schedule a maintenance window (optional, but recommended).
Completing the Migration
During SSO migration, your users could lose access to Console while you configure the new SSO. Downtime will depend on how quickly your new configuration is built and verified.
- Disable Legacy SSO:
- Log in to the Wasabi Console.
- Click Security and SSO (Single Sign On Legacy).
- Export and save your old configuration.
- Create the new SSO configuration:
- In the Wasabi Console SSO Settings, select SSO (Single Sign On).
- Select Start SSO Configuration.
- Enter your organization name. Click Add Organization.
- Click the SSO Connection drop-down and select SAML or OPEN ID.
- Configure the SSO connection.
- Click Save.
- Configure your IdP:
- Provide the following values in your IdP:
- Entity ID:
https://sso.wasabisys.com - SAML Assertion Consumer Service (ACS) URL:
https://sso.wasabisys.com/login/callback - OIDC Redirect URI (if applicable):
https://sso.wasabisys.com/login/callback
- Entity ID:
- Ensure attributes/claims include:
- email, groups (required)
- firstName, lastName (optional, but recommended)
- Provide the following values in your IdP:
- Update the SSO path in Console:
- Recreate the Wasabi role under the /sso/ path within the Wasabi SSO tab.
- wasabi-admin/sso/
- wasabi-readonlyuser/sso/
- writeonly/sso/
- Ensure the Wasabi role is in the /sso/ path. If it is not, Wasabi will not be able to match groups from the IdP.
- Ensure the roles listed are positioned as examples since the role names could differ from what you are using.
- Recreate the Wasabi role under the /sso/ path within the Wasabi SSO tab.
- Upload metadata and certificates:
- Exchange metadata files between Wasabi and your IdP.
- Confirm certificate validity and expiration.
- Test authentication:
- Use a test user to validate login, logout, and role mapping.
- Confirm access to Console, APIs, and services.
- Transition users:
- Announce the migration to users.
- Provide login instructions.
- Monitor logs for failures.
Testing and Validating
Complete the following test cases:
- A user can log in successfully via IdP.
- User attributes (email, role, and groups) map correctly.
- Session termination works (logout and SLO, if enabled).
- Error handling is tested (such as a wrong certificate or an expired session).
Troubleshooting
| Error | Possible Cause | Resolution |
|---|---|---|
| Invalid SAML response | Mismatched entity ID or ACS URL | Verify IdP configuration. |
| User not found | Attribute mapping issue | Ensure email/username claim is present. |
| Expired certificate | Old metadata in use | Upload new certificate metadata. |
| Login loop | IdP-initiated flow is misconfigured | Check redirect URIs. |
Use tools such as SAML Tracer (browser extension) or IdP debug logs to identify issues.
Completing Post Migration Steps
- Monitor authentication logs for anomalies.
- Remove any SSO Legacy references.
- Update internal IT documentation.
- Communicate migration success to your user base.
- Contact Wasabi Support to confirm and request that SSO Legacy be disabled for your account.
FAQs and Additional Information
Is it possible to roll back to SSO Legacy?
You can temporarily, but it is not recommended.
Sample Metadata (SAML)
<ServiceName xml:lang="en">Wasabi</ServiceName>
<RequestedAttribute FriendlyName="groups" Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" isRequired="true" />
<RequestedAttribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" isRequired="true" />
<RequestedAttribute FriendlyName="firstName" Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" isRequired="false" />
<RequestedAttribute FriendlyName="lastName" Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" isRequired="false" />OIDC Example
- Redirect URI:
https://sso.wasabisys.com/login/callback - Scopes:
openid email profile