Azure Active Directory SSO

Overview

Panther supports integrating with Azure Active Directory as a SAML provider to enable logging in to the Panther Console via SSO.

For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see Identity & Access Integrations.

How to configure SAML SSO to the Panther Console with Azure Active Directory

Step 1: Obtain the Azure Active Directory SSO parameters from Panther

1. Log in to the Panther Console.

2. In the upper-right corner, click the gear icon, and then click General.

3. Navigate to the Identity & Access tab.

4. Next to Enable SAML (Security Assertion Markup Language), set the toggle to ON.

5. (Optional) If using IdP-initiated login, set the Use IdP-Initiated Single Sign On (SSO) toggle to ON.

6. Copy the the Audience and ACS Consumer URL values and store them in a secure location. You will need them in the following steps.

   • If using IdP-initiated login, also copy the Relay State value.

Step 2: Create a Microsoft Azure Enterprise Application

1. Log in to your Azure Portal.

2. In the left-hand navigation bar, click Azure Active Directory.

3. Under Manage, click Enterprise applications.

4. Click + New application, then + Create your own application.

5. On the Create your own application screen, configure the following fields:

   • Input name: Enter a descriptive value, such as "Panther Console."

   • Integrate any other application you don’t find in the gallery (Non-gallery): Select this radio button.

6. Click Create.

Step 3: Configure your Microsoft Azure Enterprise Application

1. Within your newly created application, click 1. Assign users and groups.

   1. Click + Add user/group.

   2. Under Users and groups, click the None Selected link.

   3. Select your user(s), then click Select.

   4. Click Assign.

2. Navigate back to the Enterprise Application Overview, then click 2. Set up Single Sign-on.

3. On the Select a Single Sign-on method screen, click SAML.

4. Within Set up Single Sign-on with SAML, make the following configurations:

   1. Under Basic SAML Configuration, click Edit, and configure the following fields:

      • Add Identifier (Entity ID): Paste the Audience value you obtained in the Panther Console in Step 1.

      • Add reply URL: Paste the ACS Consumer URL value you obtained in the Panther Console in Step 1.

      • (Optional) Add Relay State for IdP-Initiated SSO: If using IdP-initiated login, paste the Relay State value you copied from the Panther Console in Step 1. If using SP-initiated login, leave this value blank.

5. Under Attributes & Claims, click Edit.

   1. Click + Add new claim and configure the following fields:

      • Name: Enter PantherEmail.

      • Namespace: Leave this field blank.

      • Source: Select the Attribute radio button.

      • Source Attribute: Select user.email.

   2. Click Save.

   3. Click + Add new claim and configure the following fields:

      • Name: Enter PantherFirstName.

      • Namespace: Leave this field blank.

      • Source: Select the Attribute radio button..

      • Source Attribute: Select user.givenname.

   4. Click Save.

   5. Click + Add new claim and configure the following fields:

      • Name: Enter PantherLastName.

      • Namespace: Leave this field blank.

      • Source: Select the Attribute radio button..

      • Source Attribute: Select user.surname.

   6. Click Save.

6. Under SAML Certificates, next to Federation Metadata XML, click the Download link.

7. Click Save.

Step 4: Configure the Panther Console with Azure AD SSO

1. Navigate back to the Identity & Access section in the Panther Console from Step 1. In the Default Role field, choose the Panther role that your new users will be assigned by default when they first log in via SSO.

   Panther highly recommends not setting this value to Admin.

2. Click click here to upload the metadata file you downloaded from Azure.

1. Click Save Changes.

To test your setup, go to your Panther sign-in page and click Login with SSO.