How do I use SSO for Wasabi Console access using OpenID integration with OneLogin?

WARNING: At this time Wasabi SSO with any OpenID IdP is not functioning. 
We are looking into this issue and will have a fix very soon. 
Sorry for any inconvenience.

Wasabi supports SSO (Single Sign On) functionality for Wasabi accounts using the OneLogin (Identity provider) system based on OpenID integration.  This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organizations OneLogin SSO system.

This article provides additional information beyond what is is provided in the Wasabi Management Console Guide for this feature.  In order to enable SSO for your Wasabi account, please contact Wasabi Support.

OneLogin Account Creation - Adding the Wasabi account app to OneLogin

To connect your OpenID Connect-enabled app to OneLogin, you must:

• Add an OpenId Connect app to your company app catalog.

• Provide users with access to the app in OneLogin.

Part A:

1. Login into your account on onelogin.com as an Administrator

2. Select Applications from top menu and click on "Add App"

3. Search for “OpenId Connect” or “oidc” then select the OpenId Connect (OIDC) app

4. Give a display name and click Save. Note that we are using name "Wasabi" in this example.

Once the Application is successfully created, you will see all the configurable settings on your screen as shown below

5. On the Configuration tab, enter the Login URI and Redirect URI that your app uses as the callback endpoint. This is where OneLogin sends the authentication response and ID token. Paste the URI's given below and click Save.

   Login URI: https://auth.wasabisys.com

   Redirect URI: https://auth.wasabisys.com/v1/oidc/callback

6. Click on Parameters and save the value as shown here

7. Select Rules and click on Add Rules. Give this a name and edit Actions as shown here and hit Save

   Note: We are naming this rule as "one-login-mapping", you can choose your own names

   We will be using "role-for-one-login" same name to create role on Wasabi for this integration

8. On the SSO tab, copy your own Client ID & Client Secret values along with V2 Issuer URL and save them at a secure location. We will need these three values later to configure SSO on Wasabi Page.

   Note: Client ID and Client Secret are different for every individual application so it is important that you use your own values.

Once you have saved those three values, scroll down on the same SSO tab and check on "Assumed Sign-In" to allow assumed users to sign into Wasabi app

Part B:

9. Now based on your personal/company use case, start creating Users, Groups etc and decide on how you would like to have mappings

Note: These settings will depend on your organization's requirement(s). We are demonstrating with an example of one User below

10. Start with creating Groups by selecting Groups in the Users top menu. Give a group name and click Save

    Note: we are naming this group as "Wasabi-SSO-group", you can choose any name

11. Select Roles in the User top menu and click on "New Role"

Give a role name that you used before and Select Application that was created for Wasabi SSO as shown below

12. Select Users from Users Menu on top and click on "New User"

Enter your User Details and set password for them, scroll down and add privileges to this user based on your requirement on OneLogin IdP

On Authentication page, select the previously created group for this User

On the Application page, select the Role which you created earlier and hit Save User

13. Select Mappings in the Users top menu and click on "New Mapping"

Enter any name for this mapping and set Conditions and Actions as shown below and hit Save

Wasabi Console Configuration

14. In the Wasabi console, go to your user profile and select the "Settings" tab. Scroll down and Select "Configure SSO".

 

 

15. Click "+" sign to initiate the provider configuration. Enter a name for the new Auth Provider.

    Select "OpenID Connect (OAuth 2.0 protocol)" from the drop down menu.

    Please use the data from Step 8 "Issuer", "Client ID", and "Client secret" and enter the appropriate values.  In this example we will enter the "Wasabi Role Prefix" as "role-for-one-login"

    Click "CREATE"

When you save the configuration it will be assigned a new ProviderId which is a random string.  Copy and store the new ProviderId as this will be used in a future step.

Click  

16. Create Role(s) in the Wasabi Console which will be used to drive kind of permissions/policies given to the SSO Users

    Select "IAM" and Select "Roles" from the menu. Select "CREATE ROLE" and enter the policy as shown below.

    Note: We have used the same name of role here as per IdP mapping i.e, "role-for-one-login"

Actual Policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::100000032477:oidc-provider/rTzuWMAEx5SvCYMw"
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
}

NOTE: Be sure to use your own Wasabi Account ID where the example above specifies 100000032477,  and replace “rTzuWMAEx5SvCYMw” with your "ProviderId" which was created in Step 15.

Note: Make sure that the name of the role configured in OneLogin matches the name of the role in the Wasabi Console.  This example uses the WasabiAdministratorAccess policy. You can attach any Wasabi managed policy/user-managed policy based on your requirements.

17. Configuration is now complete. Now Users can login into OneLogin IdP as themselves and they will be able to see "Wasabi" Application created by you and they can SSO into Wasabi Console from there

Once they click on the Wasabi application, the SSO user will be prompted to enter ProviderId from Step 15 and they can then access Wasabi Management Console.