Identity & Access Integrations
Last updated
Was this helpful?
Last updated
Was this helpful?
Panther can be integrated with various SAML providers to allow users to log in to the Panther Console via Single Sign-On (SSO). Once an SSO provider has been configured, it can for all users of your instance.
Panther also supports SCIM provisioning for Okta SSO. See for instructions.
Follow these step-by-step guides to configure a SAML integration with one of the following identity providers (IdP):
Identity Provider (IdP): The system that provides authentication credentials, such as OneLogin, Okta, and others.
Security Assertion Markup Language (SAML): An open standard for exchanging authentication credentials.
Service Provider (SP): The system that receives authentication credentials. In this case, Panther.
Single Sign-On (SSO): A central hub that allows users to share one login session with multiple services. In this context, synonymous with a SAML IdP.
SP-initiated login flow: Panther will show a special link on the login page which, when clicked, will redirect to the IdP for login
Auto-provisioning: Panther SAML accounts are created on the first login; they do not need to be created in advance
Standard password-based logins are still supported after you enable SAML integration. Users can be created and authorized in either flow.
Panther does not support the following:
IdP-initiated login flow: Users cannot login from OneLogin or Okta directly, they must navigate to the Panther login page first
SCIM: Users deleted from the IdP are not automatically deleted from Panther (they just cannot login anymore)
Attribute mapping: Panther roles cannot be assigned via SAML attributes
These limitations stem from Amazon Cognito, the user management service Panther is built on.
Enforcing SSO means users of your Panther instance will be required to log in using the configured SAML provider. Users will no longer be able to log in with username and password credentials.
Note the following prerequisites for enforcing SSO:
A SAML integration must be successfully set up.
Only users with the Admin role may perform this action.
To enforce SSO for your Panther instance:
Log into your Panther Console.
Click the gear icon in the upper right corner > General > Identity & Access.
Toggle Enforce Single Sign On (SSO) to ON.
Click Save Changes.
Role integration: A single of your choice is assigned to SAML users by default, and you can change user roles after their first login
: SSO can be enforced for your instance of Panther.
Only users with the can enforce or disable SSO. If SSO is enforced and you'd like to disable it (e.g., if there's an issue with your SSO integration), but none of your instance's users have the Admin role assigned, please reach out to your Panther support team. After Panther support disables the Enforce Single Sign-On setting, you can log in with username and password credentials, then toggle Enforce Single Sign-On back on when you're ready.
