Identity & Access Integrations
Panther can be integrated with various SAML providers to allow users to log in to the Panther Console via Single Sign-On (SSO). Once an SSO provider has been configured, it can optionally be enforced for all users of your instance.
Panther also supports SCIM provisioning for Okta SSO. See Okta SCIM Setup for instructions.
You can also enable Panther Support access to allow your Panther Support team view-only access to your Panther instance. This may be particularly useful during issue resolution.
Guides
Follow these step-by-step guides to configure a SAML integration with one of the following identity providers (IdP):
Terminology
Identity Provider (IdP): The system that provides authentication credentials, such as OneLogin, Okta, and others.
Security Assertion Markup Language (SAML): An open standard for exchanging authentication credentials.
Service Provider (SP): The system that receives authentication credentials. In this case, Panther.
Single Sign-On (SSO): A central hub that allows users to share one login session with multiple services. In this context, synonymous with a SAML IdP.
Features
SP-initiated login flow: Panther will show a special link on the login page which, when clicked, will redirect to the IdP for login
Auto-provisioning: Panther SAML accounts are created on the first login; they do not need to be created in advance
Role integration: A single Panther Role of your choice is assigned to SAML users by default, and you can change user roles after their first login
Enforce Single Sign-On: SSO can be enforced for your instance of Panther.
Standard password-based logins are still supported after you enable SAML integration. Users can be created and authorized in either flow.
Limitations
Panther does not support the following:
IdP-initiated login flow: Users cannot login from OneLogin or Okta directly, they must navigate to the Panther login page first
SCIM: Users deleted from the IdP are not automatically deleted from Panther (they just cannot login anymore)
Attribute mapping: Panther roles cannot be assigned via SAML attributes
These limitations stem from Amazon Cognito, the user management service Panther is built on.
How to enforce SSO
Enforcing SSO means users of your Panther instance will be required to log in using the configured SAML provider. Users will no longer be able to log in with username and password credentials.
Note the following prerequisites for enforcing SSO:
A SAML integration must be successfully set up.
Only users with the Admin role may perform this action.
To enforce SSO for your Panther instance:
Log into your Panther Console.
Click the gear icon in the upper right corner > General > Identity & Access.
Toggle Enforce Single Sign On (SSO) to ON.
Click Save Changes.
Enforced SSO break glass
Only users with the Admin role can enforce or disable SSO. If SSO is enforced and you'd like to disable it (e.g., if there's an issue with your SSO integration), but none of your instance's users have the Admin role assigned, please reach out to your Panther support team. After Panther support disables the Enforce Single Sign-On setting, you can log in with username and password credentials, then toggle Enforce Single Sign-On back on when you're ready.
Last updated