Knowledge BaseCommunityRelease NotesTry Panther
Search
⌃K
Links

SAML/SSO Integration

Panther can be integrated with various SAML providers to allow users to log in to the Panther Console via Single Sign-On (SSO). Once a SSO provider has been configured, it can optionally be enforced for all users of your instance.

Guides

Follow these step-by-step guides to configure a SAML integration with one of the following identity providers (IdP):

Terminology

  • Identity Provider (IdP): The system that provides authentication credentials, such as OneLogin, Okta, and others.
  • Security Assertion Markup Language (SAML): An open standard for exchanging authentication credentials.
  • Service Provider (SP): The system that receives authentication credentials. In this case, Panther.
  • Single Sign-On (SSO): A central hub that allows users to share one login session with multiple services. In this context, synonymous with a SAML IdP.

Features

  • SP-initiated login flow: Panther will show a special link on the login page which, when clicked, will redirect to the IdP for login
  • Auto-provisioning: Panther SAML accounts are created on the first login; they do not need to be created in advance
  • Role integration: A single Panther Role of your choice is assigned to SAML users by default, and you can change user roles after their first login
  • Enforce Single Sign-On: SSO can be enforced for your instance of Panther.
Standard password-based logins are still supported after you enable SAML integration. Users can be created and authorized in either flow.

Limitations

Panther does not support the following:
  • IdP-initiated login flow: Users cannot login from OneLogin or Okta directly, they must navigate to the Panther login page first
  • SCIM: Users deleted from the IdP are not automatically deleted from Panther (they just cannot login anymore)
  • Attribute mapping: Panther roles cannot be assigned via SAML attributes
These limitations stem from Amazon Cognito, the user management service Panther is built on.

How to enforce SSO (beta)

This feature is in closed beta starting with Panther version 1.60. To request access to the feature or share any bug reports or feature requests, please contact your Panther support team.
Enforcing SSO means users of your Panther instance will be required to log in using the configured SAML provider. Users will no longer be able to log in with username and password credentials.
Note the following prerequisites for enforcing SSO:
  • A SAML integration must be successfully set up.
  • Only users with the Admin role may perform this action.
To enforce SSO for your Panther instance:
  1. 1.
    Log into your Panther Console.
  2. 2.
    Click the gear icon in the upper right corner > General > SAML Configuration.
  3. 3.
    Toggle Enforce Single Sign On (SSO) to ON.
    The SAML Configuration page of the Console's General Settings is shown. There is an Enable SAML toggle, which is set to on, and an Enforce Single Sign On toggle, which is set to off (an arrow is pointing to this setting).
  4. 4.
    Click Save Changes.

Enforced SSO break glass

Only users with the Admin role can enforce or disable SSO. If SSO is enforced and you'd like to disable it (e.g., if there's an issue with your SSO integration), but none of your instance's users have the Admin role assigned, please reach out to your Panther support team. After Panther support disables the Enforce Single Sign-On setting, you can log in with username and password credentials, then toggle Enforce Single Sign-On back on when you're ready.
Previous
Role-Based Access Control
Next
Duo SSO
Last modified 2d ago