# Azure Active Directory SSO ## Overview Panther supports integrating with [Azure Active Directory](https://azure.microsoft.com/en-us/solutions/active-directory-sso) as a SAML provider to enable logging in to the Panther Console via SSO. For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see [Identity & Access Integrations](/system-configuration/saml.md). ## How to configure SAML SSO to the Panther Console with Azure Active Directory ### **Step 1: Obtain the Azure Active Directory SSO parameters from Panther** 1. Log in to the Panther Console. 2. In the upper-right corner, click the gear icon, and then click **General**. 3. Navigate to the **Identity & Access** tab. 4. Next to **Enable SAML (Security Assertion Markup Language)**, set the toggle to `ON`. 5. If using [IdP-initiated login](https://docs.panther.com/system-configuration/saml/pages/-MXJ6kXOq1hLh6IY-4U0#idp-initiated-vs.-sp-initiated-login), set the **Use IdP-Initiated Single Sign On (SSO)** toggle to `ON`. 6. Copy the the **Audience** and **ACS Consumer URL** values and store them in a secure location. You will need them in the following steps. * If using IdP-initiated login, also copy the **Relay State** value. {% hint style="info" %} It's recommended to use [SP-initiated login](/system-configuration/saml.md#sp-initiated-login-recommended), as it is generally considered more secure than IdP-initiated login. {% endhint %}

In the Settings section of the Panther Console, within the Identity & Access tab, various fields like "Enable SAML", "Audience" and "ACS Consumer URL" are shown

### Step 2: Create a Microsoft Azure Enterprise Application 1. Log in to your [Azure Portal](https://portal.azure.com). 2. In the left-hand navigation bar, click **Azure Active Directory**. 3. Under **Manage**, click **Enterprise applications***.* 4. Click **+ New application**, then **+ Create your own application**. 5. On the **Create your own application** screen, configure the following fields: * **Input name**: Enter a descriptive value, such as "Panther Console." * **Integrate any other application you don’t find in the gallery (Non-gallery)**: Select this radio button. 6. Click **Create**. ### Step 3: Configure your Microsoft Azure Enterprise Application 1. Within your newly created application, click **1. Assign users and groups**. 1. Click **+ Add user/group**. 2. Under **Users and groups**, click the **None Selected** link. 3. Select your user(s), then click **Select**. 4. Click **Assign**. 2. Navigate back to the Enterprise Application **Overview**, then click **2. Set up Single Sign-on**. 3. On the **Select a Single Sign-on method** screen, click **SAML**. 4. Within **Set up Single Sign-on with SAML,** make the following configurations: 1. Under **Basic SAML Configuration**, click **Edit**, and configure the following fields: * **Add Identifier (Entity ID)**: Paste the **Audience** value you obtained in the Panther Console in Step 1. * **Add reply URL**: Paste the **ACS Consumer URL** value you obtained in the Panther Console in Step 1. * **Add Relay State for IdP-Initiated SSO:** If using IdP-initiated login, paste the **Relay State** value you copied from the Panther Console in Step 1. If using SP-initiated login, leave this value blank. 5. Under **Attributes & Claims**, click **Edit**. 1. Click **+ Add new claim** and configure the following fields: * **Name**: Enter `PantherEmail`. * **Namespace**: Leave this field blank. * **Source**: Select the **Attribute** radio button. * **Source Attribute**: Select `user.email`. 2. Click **Save**. 3. Click **+ Add new claim** and configure the following fields: * **Name**: Enter `PantherFirstName`. * **Namespace**: Leave this field blank. * **Source**: Select the **Attribute** radio button.. * **Source Attribute**: Select `user.givenname`. 4. Click **Save**. 5. Click **+ Add new claim** and configure the following fields: * **Name**: Enter `PantherLastName`. * **Namespace**: Leave this field blank. * **Source**: Select the **Attribute** radio button.. * **Source Attribute**: Select `user.surname`. 6. Click **Save**. 6. Under **SAML Certificates,** next to **Federation Metadata XML,** click the **Download** link. 7. Click **Save**. ### Step 4: Configure the Panther Console with Azure AD SSO 1. Navigate back to the **Identity & Access** section in the Panther Console from Step 1. In the **Default Role** field, choose the Panther role that your new users will be assigned by default when they first log in via SSO. {% hint style="warning" %} Panther highly recommends not setting this value to `Admin`. {% endhint %} 2. Click **click here** to upload the metadata file you downloaded from Azure.

In the Panther Console settings, there is a Default Role field and an Identity provider URL field. Below, there is a button to upload a metadata file.

3. Click **Save Changes**. To test your setup, go to your Panther sign-in page and click **Login with SSO**.

The Panther login page displays a "Login with SSO" button at the bottom.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/system-configuration/saml/azure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.