How do I use SSO for Wasabi Console access using OpenID integration with Okta?

Wasabi supports SSO (Single Sign On) functionality for Wasabi accounts using the Okta IdP (Identity provider) system based on OpenID integration.  This document will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Okta SSO system.

This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Okta SSO service. This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.  

NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

Okta Account Creation - Adding the Wasabi account to Okta

1.  Log into your account on Okta as the Administrator.  (If you already have an Okta account, step 2 may not be necessary)

2. Click Directory on the left and select Groups. Create a new group by clicking Add group

In this example, we created a group called "WasabiAdmin" If you already have a group you wish to use for who will have access to the Wasabi console then you can skip this step. Please note the group name, we will need it in future steps. 

Make sure to add the necessary users you wish to have access to the Wasabi console into the new group you have created. 

2. Once you are logged in as an Admin, you will go to Applications --> Applications --> Create App Integration

3. Select the OIDC - OpenID Connect and Web Application options and hit Next

4. Provide a new App Name. 

Check the Refresh Token and Implicit (hybrid) Grant Type. 

Add the Sign-in Redirect URI as https://sso.wasabisys.com/login/callback

Scroll down and enter the group name you created in Step 2 or the group you have created already in the Selected groups(s)

5a. We will now need to create the claim for the Authorization server. 

Navigate to Security --> API

In this example, we will use the default authorization server. We need to configure group claim so that it comes as part of the user info post-authentication. This will be used to match the Wasabi Role name. This is used only in OIDC. 

Click on default authorization servers

5b. Click the Claims tab. Now Add Claim

5c. In the new claim input the following:

- Name: groups

- Include in token type: ID Token - Always

- Value type: Groups

- Filter: Starts with - (From Step 2) 

Hit Create 

You should see the groups claim you have created. 

6. Now direct back to the Settings in default and copy the Issuer URL. We will need the URL to input into the Wasabi console.

In this example, it is the https:///oauth2/default

You will need to append the /.well-known/openid-configuration to the Issuer URL.

Example: https:///oauth2/default/.well-known/openid-configuration

7. Now we will need to get the Client ID

Head back to Applications --> Applications --> Select the new app  (created in step 3)

Copy the Client ID 

 8. Now log in as the root email user on the Wasabi Web Console

Click on Settings on the left-hand side and click on SSO (Single Sign On) Tab 

- Click on "Select Configuration" from "No SSO" to "OPENID"

- Discovery Endpoint - Paste the output of Step 6 (Example https:///oauth2/default/.well-known/openid-configuration )

- Client ID - From Step 7

Note: If you do not see an SSO (Single Sign On) tab then you are on a Wasabi Trial. This feature is only on paid accounts. 

9. A Wasabi role will need to be created in order for SSO roles to work in the Console. They must be assigned to users within your organization's Identity Provider, and be returned to Wasabi in SSO claims. Without this, we will be unable to match a user with a role.

Click on Create Role in the SSO tab in Settings. 

Note: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings.

10. A Create Role window will appear. Please enter the Okta Group Name you created in Step 2. 

For the Wasabi role name use the same name as the Okta Group name created in Step 2 OR Use your same group name if you are using your existing group in that step

11. Now we will assign a Policy for this Role in order to give the user specific access. Hit "Create Role" once finished. 

Note: you can give the user multiple policies if you like for this role.

Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console. 

Note:  This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

You should not see the Wasabi Role you have created in the SSO tab in Settings. 

12. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

Click on "SIGN IN WITH SSO"

13. Enter the Wasabi Root user email address. 

14. This should re-direct you to the Okta login page of your IdP. Enter your username/password to go through your company's Okta login. 

15. Once you have successfully logged in with your company's Okta username/password. You will be then redirected back to the Wasabi Console. 

Note: your view of the Wasabi console may look different due to the IAM policy set under the SSO role you have created. 

For any issues or questions. Please contact via email to support@wasabi.com