Wasabi supports SSO (Single Sign On) functionality for Wasabi accounts using the Okta IdP (Identity provider) system based on OpenID integration. This document will provide the configuration instructions for both the IdP administrator and SSO user to properly configure and complete a Wasabi Console login using the organizations Okta SSO system.
This article provides additional information beyond what is is provided in the Wasabi Management Console Guide for this feature. In order to enable SSO for your Wasabi account, please contact Wasabi Support.
Okta Account Creation - Adding the Wasabi account to Okta
1. Log into your account on okta.com as the Administrator. (If you already have an Okta account, step 2 may not be necessary)
2. Once you are logged into your Okta account, Select the "Your Org" icon from your account name and Select "Admin" the "<> Developer Console" menu, then Select the "Classic UI" drop down which will bring you to the Okta Dashboard page.
3. Select the Applications menu and select "Applications", then click "Add Application".
4. Select "Create New App"
5. Select OpenID Connect and Click Create
6. Complete the Application Name field (Nickname) and Select the Login Redirect URIs field and enter the following:
7. Select the "General" tab and go to "Client Credentials" section and copy/save the "Client ID" and "Client secret" values. These values will be used to create the provider configuration in Wasabi's Console later in this article.
8. Select the "Sign On" tab and go to "OpenID Connect ID Token "section.
Note: Copy and save the "Issuer" value which will be used to create the provider configuration in the Wasabi Console. Click "Edit".
9. The Group claim filter is used for mapping Okta group roles to Wasabi roles for authorization. If the administrator configures the "Starts with" (Prefix) for a group, then all role based policy configured in the Wasabi Console roles that match that value, will be applied to the user.
NOTE: The group filter example below, "Starts with" Group, allows you to map your configured Wasabi roles that have a matching prefix to the name you had configured and defined in the Wasabi Console IAM/Roles section. Wasabi Role Name must equal Okta Group Name.
10. Log into your Okta account and select "Directory" on the top and select "Groups".
11. Click "Add Group" and enter a name and Click "Add Group"
12. Select the newly created Group and Click "Manage People"
13. Select the User to be added to the Group and Click "Save"
14. Click "Manage Apps" and Click "Assign" the Application to the Group
15. Select the "Applications" menu and Select "Assign Applications"
16. Click "Assign Apps to People" and proceed to Selecting the "Application" and "People"
Click "Confirm Assignments"
Wasabi Console Configuration
17. In the Wasabi console, click the more ellipse in the upper right hand corner and Select "My Profile". Select the "Settings" tab. Scroll down and Select "Configure SSO".
18. Click "CREATE NEW PROVIDER" to initiate the provider configuration. Enter a name for the new Auth Provider.
Select "OpenID Connect (OAuth 2.0 protocol)" from the drop down menu.
Please use the data from Step 7 "Issuer", "Client ID", and "Client secret" and enter the appropriate values. In this example we will enter the "Wasabi Role Prefix" Group1
When you save the configuration it will be assigned a new ProviderId which is a random string. Copy and store the new ProviderId as this will be used in a future step.
19. Create Role(s) in the Wasabi Console to match the Okta Group name for Authorization (Group1 in this example)
Select "IAM" and Select "Roles" from the menu. Select "CREATE ROLE" and enter the policy as shown below.
NOTE: Be sure to use your own Wasabi Account ID where the example above specifies 100000000100, and replace “R0kHHJ7lOAzbTIAp” with your "ProviderId" which was created in Step 8.
Note: Make sure that the name of the group configured in Okta matches the name of the role in the Wasabi Console. In this example, the role created should be named admin. This example uses the WasabiAdministratorAccess policy. The administrator should add this policy to the newly created role (ie. group1)
20. Configuration is now complete. Enter the following URL "https://auth.wasabisys.com" in your browser and login as a SSO user.