---
title: "SSO Migration From SSO Legacy"
slug: "sso-migration"
description: "Migrate to Wasabi's new SSO implementation that abides by industry standards and is easy to configure and maintain. "
tags: ["SSO", "SSO Legacy"]
updated: 2026-01-30T20:53:49Z
published: 2026-01-30T20:53:49Z
---
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.
# SSO Migration From SSO Legacy
In June 2023, Wasabi introduced an updated SSO feature that replaced our previous solution (now referenced as SSO Legacy). We recommend that any users currently using SSO Legacy migrate to Wasabi's current SSO solution, as described in this article.
This article is intended for administrators who manage authentication and identity provider (IdP) integrations. Wasabi SSO supports Okta, Azure AD, Ping, Auth0, and any Security Assertion Markup Language (SAML) 2.0 / OIDC-compliant IdP. (Note that Wasabi supports MFA, which should be enforced at the IdP level.)
If you are not familiar with SSO or want to learn more about the Wasabi SSO feature, visit [SSO (Single Sign On)](https://docs.wasabi.com/docs/sso-single-sign-on).
This article provides information to:
- Understand the differences between SSO Legacy and SSO
- Prepare your environment for migration
- Complete the migration with minimal disruption
- Validate and troubleshoot your setup
## Understanding Why You Should Migrate
- **Standards Compliance:**Improved compatibility with SAML 2.0 and OpenID Connect (OIDC)
- **Improved Security:**Better certificate management, signed/encrypted assertions, and token handling
- **Simplified Administration:**Streamlined configuration and better logging for diagnostics
> **Wasabi highly recommends transitioning away from Legacy SSO to the new Single Sign-On to ensure continued compatibility and enhanced security.**
### Comparison of SSO and SSO Legacy
| Feature | SSO | SSO Legacy |
| --- | --- | --- |
| Protocols | SAML 2.0 + OIDC | SAML only |
| IdP-Initiated Logins | Full support | Partial support |
| Logout Support | Single Logout (SLO) | Limited |
| Attribute Mapping | Custom claims and group mapping | Minimal |
| Certificate Management | Automated renewal support | Manual only |
| Logging and Diagnostics | Detailed logs and error codes | Basic |
## Preparing to Migrate: Reviewing a Pre-Migration Checklist
Before you begin:
- Inventory your current SSO Legacy configuration.
- Export and back up your IdP settings and metadata.
- Confirm your IdP supports SAML 2.0 or OIDC.
- Prepare a test user for validation.
- Schedule a maintenance window (optional, but recommended).
## Completing the Migration
> **During SSO migration, your users could lose access to Console while you configure the new SSO. Downtime will depend on how quickly your new configuration is built and verified.**
1. Disable Legacy SSO:
1. Log in to the Wasabi Console.
2. Click **Security**and **SSO (Single Sign On Legacy)**.
3. Export and save your old configuration.
2. Create the new SSO configuration:
1. In the Wasabi Console SSO Settings, select **SSO (Single Sign On)**.
2. Select **Start SSO Configuration**.
3. Enter your organization name. Click **Add Organization**.
4. Click the **SSO Connection**drop-down and select **SAML**or **OPEN ID**.
5. Configure the SSO connection.
6. Click **Save**.
3. Configure your IdP:
1. Provide the following values in your IdP:
- Entity ID: https://sso.wasabisys.com
- SAML Assertion Consumer Service (ACS) URL: https://sso.wasabisys.com/login/callback
- OIDC Redirect URI (if applicable): https://sso.wasabisys.com/login/callback
2. Ensure attributes/claims include:
- email, groups (required)
- firstName, lastName (optional, but recommended)
4. Update the SSO path in Console:
1. Recreate the Wasabi role under the /sso/ path within the Wasabi SSO tab.
- wasabi-admin/sso/
- wasabi-readonlyuser/sso/
- writeonly/sso/
2. Ensure the Wasabi role is in the /sso/ path. If it is not, Wasabi will not be able to match groups from the IdP.
3. Ensure the roles listed are positioned as examples since the role names could differ from what you are using.
5. Upload metadata and certificates:
1. Exchange metadata files between Wasabi and your IdP.
2. Confirm certificate validity and expiration.
6. Test authentication:
1. Use a test user to validate login, logout, and role mapping.
2. Confirm access to Console, APIs, and services.
7. Transition users:
1. Announce the migration to users.
2. Provide login instructions.
3. Monitor logs for failures.
## Testing and Validating
Complete the following test cases:
- A user can log in successfully via IdP.
- User attributes (email, role, and groups) map correctly.
- Session termination works (logout and SLO, if enabled).
- Error handling is tested (such as a wrong certificate or an expired session).
### Troubleshooting
| Error | Possible Cause | Resolution |
| --- | --- | --- |
| Invalid SAML response | Mismatched entity ID or ACS URL | Verify IdP configuration. |
| User not found | Attribute mapping issue | Ensure email/username claim is present. |
| Expired certificate | Old metadata in use | Upload new certificate metadata. |
| Login loop | IdP-initiated flow is misconfigured | Check redirect URIs. |
> Use tools such as SAML Tracer (browser extension) or IdP debug logs to identify issues.
## Completing Post Migration Steps
- Monitor authentication logs for anomalies.
- Remove any SSO Legacy references.
- Update internal IT documentation.
- Communicate migration success to your user base.
- Contact [Wasabi Support](mailto:support@wasabi.com) to confirm and request that SSO Legacy be disabled for your account.
## FAQs and Additional Information
### Rolling Back to SSO Legacy
Although it is possible to roll back to SSO Legacy temporarily, it is not recommended.
### Sample Metadata (SAML)
```plaintext
Wasabi
```
### OIDC Example
- Redirect URI: https://sso.wasabisys.com/login/callback
- Scopes: openid email profile
## Related
- [SSO (Single Sign On)](/configuring-the-single-sign-on-sso-feature.md)