# Azure Active Directory SSO

## Overview

Panther supports integrating with [Azure Active Directory](https://azure.microsoft.com/en-us/solutions/active-directory-sso) as a SAML provider to enable logging in to the Panther Console via SSO.

For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see [Identity & Access Integrations](https://docs.panther.com/system-configuration/saml).

## How to configure SAML SSO to the Panther Console with Azure Active Directory

### **Step 1: Obtain the Azure Active Directory SSO parameters from Panther**

1. Log in to the Panther Console.
2. In the upper-right corner, click the gear icon, and then click **General**.
3. Navigate to the **Identity & Access** tab.
4. Next to **Enable SAML (Security Assertion Markup Language)**, set the toggle to `ON`.
5. If using [IdP-initiated login](https://docs.panther.com/system-configuration/saml/..#idp-initiated-vs.-sp-initiated-login), set the **Use IdP-Initiated Single Sign On (SSO)** toggle to `ON`.
6. Copy the the **Audience** and **ACS Consumer URL** values and store them in a secure location. You will need them in the following steps.
   * If using IdP-initiated login, also copy the **Relay State** value.

{% hint style="info" %}
It's recommended to use [SP-initiated login](https://docs.panther.com/system-configuration/saml/..#sp-initiated-login-recommended), as it is generally considered more secure than IdP-initiated login.
{% endhint %}

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-800628a71753e4ef33d50d9bbf9231f05441120b%2FScreenshot%202025-10-10%20at%203.03.25%E2%80%AFPM.png?alt=media" alt="In the Settings section of the Panther Console, within the Identity &#x26; Access tab, various fields like &#x22;Enable SAML&#x22;, &#x22;Audience&#x22; and &#x22;ACS Consumer URL&#x22; are shown"><figcaption></figcaption></figure>

### Step 2: Create a Microsoft Azure Enterprise Application

1. Log in to your [Azure Portal](https://portal.azure.com).
2. In the left-hand navigation bar, click **Azure Active Directory**.
3. Under **Manage**, click **Enterprise applications***.*
4. Click **+ New application**, then **+ Create your own application**.
5. On the **Create your own application** screen, configure the following fields:
   * **Input name**: Enter a descriptive value, such as "Panther Console."
   * **Integrate any other application you don’t find in the gallery (Non-gallery)**: Select this radio button.
6. Click **Create**.

### Step 3: Configure your Microsoft Azure Enterprise Application

1. Within your newly created application, click **1. Assign users and groups**.
   1. Click **+ Add user/group**.
   2. Under **Users and groups**, click the **None Selected** link.
   3. Select your user(s), then click **Select**.
   4. Click **Assign**.
2. Navigate back to the Enterprise Application **Overview**, then click **2. Set up Single Sign-on**.
3. On the **Select a Single Sign-on method** screen, click **SAML**.
4. Within **Set up Single Sign-on with SAML,** make the following configurations:
   1. Under **Basic SAML Configuration**, click **Edit**, and configure the following fields:
      * **Add Identifier (Entity ID)**: Paste the **Audience** value you obtained in the Panther Console in Step 1.
      * **Add reply URL**: Paste the **ACS Consumer URL** value you obtained in the Panther Console in Step 1.
      * **Add Relay State for IdP-Initiated SSO:** If using IdP-initiated login, paste the **Relay State** value you copied from the Panther Console in Step 1. If using SP-initiated login, leave this value blank.
5. Under **Attributes & Claims**, click **Edit**.
   1. Click **+ Add new claim** and configure the following fields:
      * **Name**: Enter `PantherEmail`.
      * **Namespace**: Leave this field blank.
      * **Source**: Select the **Attribute** radio button.
      * **Source Attribute**: Select `user.email`.
   2. Click **Save**.
   3. Click **+ Add new claim** and configure the following fields:
      * **Name**: Enter `PantherFirstName`.
      * **Namespace**: Leave this field blank.
      * **Source**: Select the **Attribute** radio button..
      * **Source Attribute**: Select `user.givenname`.
   4. Click **Save**.
   5. Click **+ Add new claim** and configure the following fields:
      * **Name**: Enter `PantherLastName`.
      * **Namespace**: Leave this field blank.
      * **Source**: Select the **Attribute** radio button..
      * **Source Attribute**: Select `user.surname`.
   6. Click **Save**.
6. Under **SAML Certificates,** next to **Federation Metadata XML,** click the **Download** link.
7. Click **Save**.

### Step 4: Configure the Panther Console with Azure AD SSO

1. Navigate back to the **Identity & Access** section in the Panther Console from Step 1. In the **Default Role** field, choose the Panther role that your new users will be assigned by default when they first log in via SSO.

{% hint style="warning" %}
Panther highly recommends not setting this value to `Admin`.
{% endhint %}

2. Click **click here** to upload the metadata file you downloaded from Azure.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-e8e6846bff40652df983da89846e03363e334ea8%2FScreenshot%202025-10-16%20at%203.52.12%E2%80%AFPM.png?alt=media" alt="In the Panther Console settings, there is a Default Role field and an Identity provider URL field. Below, there is a button to upload a metadata file." width="375"><figcaption></figcaption></figure>

3. Click **Save Changes**.

To test your setup, go to your Panther sign-in page and click **Login with SSO**.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-6c854c8da9b83a5410acdb3a8278c814a3b9be7b%2Fimage.png?alt=media" alt="The Panther login page displays a &#x22;Login with SSO&#x22; button at the bottom."><figcaption></figcaption></figure>