# Okta SSO

## Overview

Panther supports integrating with Okta as a SAML provider to enable logging in to the Panther Console via SSO.

For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see [Identity & Access Integrations](https://docs.panther.com/system-configuration/saml).

## How to configure SAML SSO to the Panther Console with Okta

### Step 1: Obtain the Okta SSO parameters from Panther

1. Log in to the Panther Console.
2. In the upper-right corner, click the gear icon, and then click **General**.
3. Navigate to the **Identity & Access** tab.
4. Next to **Enable SAML (Security Assertion Markup Language)**, set the toggle to `ON`.
5. If using [IdP-initiated login](https://docs.panther.com/system-configuration/saml/..#idp-initiated-vs.-sp-initiated-login), set the **Use IdP-Initiated Single Sign On (SSO)** toggle to `ON`.
6. Copy the the **Audience** and **ACS Consumer URL** values and store them in a secure location. You will need them in the following steps.
   * If using IdP-initiated login, also copy the **Relay State** value.

{% hint style="info" %}
It's recommended to use [SP-initiated login](https://docs.panther.com/system-configuration/saml/..#sp-initiated-login-recommended), as it is generally considered more secure than IdP-initiated login.
{% endhint %}

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-800628a71753e4ef33d50d9bbf9231f05441120b%2FScreenshot%202025-10-10%20at%203.03.25%E2%80%AFPM.png?alt=media" alt="In the Settings section of the Panther Console, within the Identity &#x26; Access tab, various fields like &#x22;Enable SAML&#x22;, &#x22;Audience&#x22; and &#x22;ACS Consumer URL&#x22; are shown"><figcaption></figcaption></figure>

### Step 2: Create the Panther application in Okta

1. Log in to your Okta administrative console.

2. In the left-hand navigation bar, click on **Applications**, and then click **Create App Integration**.

3. Within the "Create a new app integration" screen, select **SAML 2.0** as your "Sign-in method":

   <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-fe4523b56e7ae149b039df4d93c1ba6b1ce50bca%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

4. Click **Next**.

5. Configure the general settings:
   * **App name**: Add a memorable name such as "Panther Console."
   * **App logo**: Upload a Panther logo to help users quickly identify this app.
   * **App visibility**: Configure the visibility of this application for your users.

6. Click **Next**.

7. In the **SAML Settings** section, configure the following under **General**:

   * **Single sign-on URL**: Paste the **ACS Consumer URL** value you obtained in the Panther Console in Step 1.
   * **Audience URI (SP Entity ID)**: Paste the **Audience** value you obtained in the Panther Console in Step 1.
   * **Default RelayState:** If using IdP-initiated login, paste the **Relay State** value you copied from the Panther Console in Step 1. If using SP-initiated login, leave this value blank.

   <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-98aaf036a042fbaf0e3ce7cd62804eef5820649e%2FScreenshot%202025-10-10%20at%203.38.44%E2%80%AFPM.png?alt=media" alt="&#x22;SAML Settings&#x22; section in the Okta Console with various fields like &#x22;Single sign-on URL&#x22; and &#x22;Audience URI&#x22;" width="563"><figcaption></figcaption></figure>

8. Click **Next**.

9. Click **Finish.**

10. You will be navigated to the created app's Settings page. Click the **Sign On** tab. Scroll down to the **Show legacy configuration** sectio&#x6E;**.** In the **Profile Attribute Statements** section, configure the following attributes:

    * **Name**: `PantherEmail`, **Value**: `user.email`
    * **Name**: `PantherFirstName`, **Value**: `user.firstName`
    * **Name**: `PantherLastName`, **Value**: `user.lastName`

    <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FlumSOO6T1oIqQADLzfDT%2FUntitled%2010.heic?alt=media&#x26;token=a5d2f0b6-bdd3-42bb-bf20-70e8f2494962" alt=""><figcaption></figcaption></figure>

    <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FYugukmHR24F8uqGom0Fn%2FUntitled%2010.png?alt=media&#x26;token=1f7aa155-b664-4b38-819e-da9528597cfc" alt=""><figcaption></figcaption></figure>

11. The Group Attribute statements can be left blank. Click **Save**.

12. In the **Settings** section, copy the **Metadata URL.** This value will be needed in Step &#x33;**.**

    <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-474996f7383f7eec6c58a8b65f037620c09111d0%2FScreenshot%202025-10-01%20at%201.53.28%E2%80%AFPM.png?alt=media" alt="Settings page for an Okta application with a red box around &#x22;Metadata details&#x22;" width="563"><figcaption></figcaption></figure>

13. You can now grant access to the appropriate users and groups in the **Assignments** tab.

### Step 3: Configure Okta SAML in Panther

1. Navigate back to the **Identity & Access** section in the Panther Console from Step 1. In the **Default Role** field, choose the Panther role that your new users will be assigned by default when they first log in via SSO.

{% hint style="warning" %}
Panther highly recommends not setting this value to `Admin`.
{% endhint %}

2. Paste the **Metadata URL** value you copied at the end of Step 2 into the **Identity Provider URL** field.
3. Click **Save Changes**.

To test your setup, go to your Panther sign-in page and click **Login with SSO**.

<div data-full-width="true"><figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-5e5aa7beb6e3547f6c0d323432359430390a0067%2Fpanther-login-sso%20(6)%20(1).png?alt=media" alt="The Panther login page displays a &#x22;Login with SSO&#x22; button at the bottom."><figcaption></figcaption></figure></div>

### Step 4 (For SP-Initiated SSO): Create a Panther Bookmark app in Okta

{% hint style="info" %}
Service Provider (SP) initiated SSO provides a more secure alternative to IdP-initiated SSO. Okta app tiles cannot be used directly for SP-initiated login. Instead, use Okta Bookmark Apps to provide users with a seamless login experience.

If you created a Panther application tile in Okta, hide it to prevent user confusion with the Bookmark app. See the [Okta documentation for instructions on hiding applications](https://help.okta.com/oag/en-us/content/topics/access-gateway/add-app-saml-pass-thru-hide.htm).
{% endhint %}

* To configure a Bookmark app for Panther, follow the instructions in the Okta documentation: [Simulate an IdP-initiated flow with the Bookmark App](https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Bookmark_App.htm).
  * When you're asked to enter "the URL for your domain at the external site," use the URL of your Panther sign-in page. This is the URL that appears in your browser's URL bar when you log out of your Panther Console.