How do I use SSO for Wasabi Console access using OpenID integration with OneLogin?
    • 18 Dec 2023
    • 4 Minutes to read
    • PDF

    How do I use SSO for Wasabi Console access using OpenID integration with OneLogin?

    • PDF

    Article summary

    WARNING: At this time Wasabi SSO with any OpenID IdP is not functioning. 
    We are looking into this issue and will have a fix very soon. 
    Sorry for any inconvenience.

    Wasabi supports SSO (Single Sign On) functionality for Wasabi accounts using the OneLogin (Identity provider) system based on OpenID integration.  This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organizations OneLogin SSO system.

    This article provides additional information beyond what is is provided in the Wasabi Management Console Guide for this feature.  In order to enable SSO for your Wasabi account, please contact Wasabi Support.

    OneLogin Account Creation - Adding the Wasabi account app to OneLogin

    To connect your OpenID Connect-enabled app to OneLogin, you must:

    • Add an OpenId Connect app to your company app catalog.

    • Provide users with access to the app in OneLogin.

    Part A:

    1. Login into your account on onelogin.com as an Administrator

    2. Select Applications from top menu and click on "Add App"

    Screen_Shot_2020-09-13_at_8.37.23_PM.png
    Screen_Shot_2020-09-13_at_8.37.53_PM.png
    1. Search for “OpenId Connect” or “oidc” then select the OpenId Connect (OIDC) app

    Screen_Shot_2020-09-13_at_8.42.03_PM.png
    1. Give a display name and click Save. Note that we are using name "Wasabi" in this example.

    Screen_Shot_2020-09-13_at_8.42.36_PM.png

     

    Once the Application is successfully created, you will see all the configurable settings on your screen as shown below

    Screen_Shot_2020-09-13_at_8.46.51_PM.png
    1. On the Configuration tab, enter the Login URI and Redirect URI that your app uses as the callback endpoint. This is where OneLogin sends the authentication response and ID token. Paste the URI's given below and click Save.

      Login URI: https://auth.wasabisys.com

      Redirect URI: https://auth.wasabisys.com/v1/oidc/callback

    Screen_Shot_2020-09-13_at_8.52.22_PM.png
    1. Click on Parameters and save the value as shown here

    Screen_Shot_2020-09-13_at_8.55.59_PM.png
    1. Select Rules and click on Add Rules. Give this a name and edit Actions as shown here and hit Save

      Note: We are naming this rule as "one-login-mapping", you can choose your own names

      We will be using "role-for-one-login" same name to create role on Wasabi for this integration

    Screen_Shot_2020-09-13_at_9.01.43_PM.png
    1. On the SSO tab, copy your own Client ID & Client Secret values along with V2 Issuer URL and save them at a secure location. We will need these three values later to configure SSO on Wasabi Page.

      Note: Client ID and Client Secret are different for every individual application so it is important that you use your own values.

    Screen_Shot_2020-09-13_at_9.06.25_PM.png

    Once you have saved those three values, scroll down on the same SSO tab and check on "Assumed Sign-In" to allow assumed users to sign into Wasabi app

    Screen_Shot_2020-09-13_at_9.16.35_PM.png

    Part B:

    1. Now based on your personal/company use case, start creating Users, Groups etc and decide on how you would like to have mappings

    Screen_Shot_2020-09-13_at_9.25.34_PM.png

    Note: These settings will depend on your organization's requirement(s). We are demonstrating with an example of one User below

    1. Start with creating Groups by selecting Groups in the Users top menu. Give a group name and click Save

      Note: we are naming this group as "Wasabi-SSO-group", you can choose any name

    Screen_Shot_2020-09-13_at_10.19.42_PM.png
    1. Select Roles in the User top menu and click on "New Role"

    Screen_Shot_2020-09-13_at_10.30.24_PM.png

    Give a role name that you used before and Select Application that was created for Wasabi SSO as shown below

    Screen_Shot_2020-09-13_at_10.33.10_PM.png
    1. Select Users from Users Menu on top and click on "New User"

    Screen_Shot_2020-09-13_at_9.36.12_PM.png

    Enter your User Details and set password for them, scroll down and add privileges to this user based on your requirement on OneLogin IdP

    Screen_Shot_2020-09-13_at_9.40.24_PM.png

    On Authentication page, select the previously created group for this User

    Screen_Shot_2020-09-13_at_10.24.31_PM.png

    On the Application page, select the Role which you created earlier and hit Save User

    Screen_Shot_2020-09-13_at_10.38.48_PM.png
    1. Select Mappings in the Users top menu and click on "New Mapping"

    Screen_Shot_2020-09-13_at_10.45.23_PM.png

    Enter any name for this mapping and set Conditions and Actions as shown below and hit Save

    Screen_Shot_2020-09-13_at_10.43.39_PM.png

    Wasabi Console Configuration

    1. In the Wasabi console, go to your user profile and select the "Settings" tab. Scroll down and Select "Configure SSO".

    Screen_Shot_2020-09-13_at_10.56.30_PM.png

     

    Screen_Shot_2020-09-13_at_10.57.12_PM.png

     

    1. Click "+" sign to initiate the provider configuration. Enter a name for the new Auth Provider.

      Select "OpenID Connect (OAuth 2.0 protocol)" from the drop down menu.

      Please use the data from Step 8 "Issuer", "Client ID", and "Client secret" and enter the appropriate values.  In this example we will enter the "Wasabi Role Prefix" as "role-for-one-login"

      Click "CREATE"

    mceclip0.png

    When you save the configuration it will be assigned a new ProviderId which is a random string.  Copy and store the new ProviderId as this will be used in a future step.

    Click  mceclip0.png

    1. Create Role(s) in the Wasabi Console which will be used to drive kind of permissions/policies given to the SSO Users

      Select "IAM" and Select "Roles" from the menu. Select "CREATE ROLE" and enter the policy as shown below.

      Note: We have used the same name of role here as per IdP mapping i.e, "role-for-one-login"

    Screen_Shot_2020-09-13_at_11.13.45_PM.png

    Actual Policy:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "Federated": "arn:aws:iam::100000032477:oidc-provider/rTzuWMAEx5SvCYMw"
    },
    "Action": "sts:AssumeRoleWithWebIdentity"
    }
    ]
    }

    NOTE: Be sure to use your own Wasabi Account ID where the example above specifies 100000032477,  and replace “rTzuWMAEx5SvCYMw” with your "ProviderId" which was created in Step 15.

    Note: Make sure that the name of the role configured in OneLogin matches the name of the role in the Wasabi Console.  This example uses the WasabiAdministratorAccess policy. You can attach any Wasabi managed policy/user-managed policy based on your requirements.

    1. Configuration is now complete. Now Users can login into OneLogin IdP as themselves and they will be able to see "Wasabi" Application created by you and they can SSO into Wasabi Console from there

    Screen_Shot_2020-09-13_at_11.33.57_PM.png

    Once they click on the Wasabi application, the SSO user will be prompted to enter ProviderId from Step 15 and they can then access Wasabi Management Console.