How do I use SSO for Wasabi Console access using SAML2 integration with Okta?

Wasabi now supports SSO (Single Sign On) functionality for Wasabi accounts using the Okta IdP (Identity provider) system based on SAML2 (Security Assertion Markup Language). 

This article will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organization's Okta SSO service.  This article provides additional information beyond what is provided in the Wasabi Management Console Guide for this feature.  

 

NOTE: In order to configure Wasabi SSO, you will need to be a paid account and log in as the root Wasabi email address.

 

OKTA Account Creation - Adding the Wasabi account to Okta

1.  Begin by creating an account on okta.com. You can create a normal account or a company account. You will need to be an Admin of your Okta account.

Screen_Shot_2022-10-26_at_10.55.30_AM.png

 

2.  Once you are logged in to your Okta account. Click on "Admin" in the top right corner.

Screen_Shot_2022-10-26_at_10.56.11_AM.png

 

3. Once you are logged in as an Admin, you will go to Applications --> Applications --> Create App Integration

Screen_Shot_2022-10-26_at_10.59.42_AM.png

 

4. Select the "SAML 2.0" radio button and hit "Next"

Screen_Shot_2022-10-26_at_11.01.28_AM.png

 

5. Name the SAML application. Click "Next" once named Screen_Shot_2022-10-26_at_11.02.13_AM.png

6. Copy and paste the following to the corresponding entries -

- Single Sign On URL - https://sso.wasabisys.com/login/callback

- Audience URL (SP Entity ID) - https://sso.wasabisys.com/saml

- Group Attribute Statements (Name) - "groups"

- Group Attribute Statements (Filter - Starts with) - <Okta Group Name> 

NOTE: This will be the Okta group that you want to give access to the Wasabi console. We will be creating a group later in step 14 ("WasabiAdmin" is used in this example.)

Screen

Once all the entries are filled. Hit "Next" 

 

7. Click on "I'm a software vendor. I'd like to integrate my app with Okta" 

Please DO NOT submit the app for review. We do not need multiple customers submitting apps for review to Okta. 

Click Finish

Screen_Shot_2022-10-26_at_11.13.39_AM.png

8. Once finished. Go to the Sign On tab under the SAML Application you just created. 

Please note the Sign in URL and Download the Signing Certificate.  You will need those details to place in the Wasabi Web Console

Note: You will need to be the Wasabi root user in order to configure Wasabi SSO.

Screen

 

9. Now click "Directory" on the left and select "Groups". 

In this example, we created a group called "WasabiAdmin" (Should be the same name as Step 6 under Group Attribute Statements (Filter - Starts with)) 

(Note: if you have a group created already that you wish to give access to the Wasabi console then you can skip this step. If you are using an existing group, please be sure to enter your existing group name in Step 6 - Group Attribute Statements (Filter - Starts with))

Screen_Shot_2022-10-26_at_11.28.57_AM.png

 

10. Once you have created the group. Please make sure that you added the users/groups you wish to be able to access the Wasabi Console through Okta SSO.

 

Screen

 

11. Once you added the users/groups to the Okta group. Go back to the Applications --> Application on the left-hand side. Assign the Application you have created in Step 5. 

Go to Assignments --> Assign --> In the drop-down click Assign to Groups 

Screen_Shot_2022-10-26_at_11.39.03_AM.png

13. Now log in as the root email user on the Wasabi Web Console

Click on Settings on the left-hand side and click on SSO (Single Sign On) Tab 

- Click on "Select Configuration" from "No SSO" to "SAML"

- Paste the Sign in URL from Step 8. 

- Upload the X509 Signing Certificate from Step 8

- Sign Out URL (Optional) - the URL is located SAML setting on Okta. 

Note: If you do not see an SSO (Single Sign On) tab then you are on a Wasabi Trial. This feature is only on paid accounts. 

Screen

 

 

14. A Wasabi role will need to be created in order for SSO roles to work in the Console. They must be assigned to users within your organization's Identity Provider, and be returned to Wasabi in SSO claims. Without this, we will be unable to match a user with a role.

Click on Create Role in the SSO tab in Settings. 

Note: Do not create the role through the Role tab on the left. SSO roles must be created through the SSO tab in Settings. 

Screen

 

15. A Create Role window will appear. Please enter the Okta Group Name you created in Step 9. 

For the Wasabi role name use the same name as the Okta Group name created in Step 9 OR Use your same group name if you are using your existing group in that step

Screen

16. Now we will assign a Policy for this Role in order to give the user specific access. Hit "Create Role" once finished. 

Note: you can give the user multiple policies if you like for this role.

Please see What are the default policies available in the Wasabi Console? for more information on the default policies available in the Wasabi Console or you can create your own IAM policies through the Policy tab on the Wasabi console. 

Screen

 

Note:  This example uses the AdministratorAccess policy. You may attach any Wasabi-managed policy/user-managed policy based on your requirements.

 

You should now see the Wasabi Role you have created in the SSO tab in Settings. 

 

Screen

 

17. Now test the Wasabi SSO. Please go to https://console.wasabisys.com

Click on "SIGN IN WITH SSO"

Screen

 

18. Enter the Wasabi Root user email address. 

 

Screen

19. This should re-direct you to the Okta login page of your IdP. Enter your username/password to go through your company's Okta login. 

Screen

 

20. Once you have successfully logged in with your company's Okta username/password. You will be then redirected back to the Wasabi Console. 

 Screen

Note: your view of the Wasabi console may look different due to the IAM policy set under the SSO role you have created. 

 

For any issues or questions. Please contact via email to support@wasabi.com 

 

 

Have more questions? Submit a request