SAML/SSO Integration

Panther can be integrated with SAML providers like OneLogin, Okta, and others to enable users to log in via SSO to the Panther Console.


Follow these step-by-step guides to enable SAML integration with one of the following:


  • Identity Provider (IdP): The system that provides authentication credentials, such as OneLogin, Okta, and others.
  • Security Assertion Markup Language (SAML): An open standard for exchanging authentication credentials.
  • Service Provider (SP): The system that receives authentication credentials. In this case, Panther Enterprise.
  • Single Sign-On (SSO): A central hub that allows users to share one login session with multiple services. In this context, synonymous with a SAML IdP.


  • SP-initiated login flow: Panther will show a special link on the login page which, when clicked, will redirect to the IdP for login
  • Auto-provisioning: Panther SAML accounts are created on the first login; they do not need to be created in advance
  • Role integration: A single Panther Role of your choice is assigned to SAML users by default, and you can change user roles after their first login
Standard password-based logins are still supported after you enable SAML integration. Users can be created and authorized in either flow.


Panther does not support the following:
  • IdP-initiated login flow: Users cannot login from OneLogin or Okta directly, they must navigate to the Panther login page first
  • SCIM: Users deleted from the IdP are not automatically deleted from Panther (they just cannot login anymore)
  • Attribute mapping: Panther roles cannot be assigned via SAML attributes
These limitations stem from Amazon Cognito, the user management service Panther is built on.