Okta SSO

Set up Okta SSO to log in to the Panther Console


Panther supports integrating with Okta as a SAML provider to enable logging in to the Panther Console via SSO.
For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see Identity & Access Integrations.

How to configure SAML SSO to the Panther Console with Okta

Obtain the Okta SSO parameters from Panther

  1. 1.
    Log in to the Panther Console.
  2. 2.
    Click the gear icon in the upper right. In the dropdown menu, click General.
  3. 3.
    Click the Identity & Access tab.
Keep this browser window open, as you will need the Audience and ACS URL values in the next steps.
In the General settings page in the Panther Console, the Identity & Access tab is shown. Various fields are visible, such as Enable SAML, Enforce Single Sign On, Default Role, Identity provider URL, Audience and ACS Consumer URL.

Create the Okta App

  1. 1.
    Log in to your Okta administrative console.
  2. 2.
    Click the Applications tab, then click Create App Integration.
    The image shows the Okta admin console. There is an arrow pointing to the Applications link in the left sidebar. In the middle of the page, there is a red circle around a button labeled Create App Integration.
  3. 3.
    Within the "Create a new app integration" modal, fill in the form to configure the new app:
    • Sign on Method: Select SAML 2.0
      In the Okta admin console, on the "Create a new app integration" page, SAML 2.0 is selected.
  4. 4.
    Click Next.
  5. 5.
    Configure the general settings:
    • App name: Add a memorable name such as "Panther Console."
    • App logo: Upload a Panther logo to help users quickly identify this app.
    • App visibility: Configure the visibility of this application for your users.
  6. 6.
    Click Next.
  7. 7.
    In the SAML Settings section, configure the following under General:
    • Single sign on URL: Enter the ACS URL you copied from the Panther Console in earlier steps of this documentation.
    • Audience: Enter the Audience you copied from the Panther Console in earlier steps of this documentation.
    In the Okta admin console's "Create SAML Integration" process, the "Configure SAML" tab is open. There is a form on the screen to configure your SAML settings.
  8. 8.
    Configure the following under Attribute Statements:
    • Name: PantherEmail, Value:
    • Name: PantherFirstName, Value: user.firstName
    • Name: PantherLastName, Value: user.lastName
      In the image, the "Attribute statements" from the Okta admin console is filled in with the values listed above.
  9. 9.
    The Group Attribute statements can be left blank. Click Next.
  10. 10.
    Click Finish.
  11. 11.
    On the next screen, navigate to SAML Setup along the right-hand side of the screen.
    In the image, the SAML Signing Certificate page in the Okta admin console is displayed. On the right side, there is a red circle around the SAML Setup information.
  12. 12.
    Click View SAML setup instructions which will open up a new browser tab.
  13. 13.
    Copy the Identity Provider Single Sign-On URL. Okta displays the URL in one of the following formats:
    • https://[OKTA_ACCT][OKTA_APP_STR]/[APP_ID]/sso/saml
    • https://okta.[OKTA_ACCT].com/app/[OKTA_APP_STR]/[APP_ID]/sso/saml
    Adjust the URL as follows in order to use it with Panther. If your domain matches the first pattern above, use the first option here; if your domain matches the second pattern above, use the second one here:
    • https://[OKTA_ACCT][APP_ID]/sso/saml/metadata
    • https://okta.[OKTA_ACCT].com/app/[APP_ID]/sso/saml/metadata
    Copy this URL as you will need it in the following steps.
  14. 14.
    Grant access to the appropriate users and groups in the Assignments tab.

Create an Okta Bookmark app

Amazon Cognito, which powers Panther's user management, does not support IdP-initiated logins. However, you can simulate an IdP-initiated flow with an Okta Bookmark app, which will allow users to click a tile in Okta to sign in to Panther.
To configure a Bookmark app for Panther:
  • Follow the instructions in the Okta Help Center: Simulate an IdP-initiated flow with the Bookmark App.
    • When you're asked to enter "the URL for your domain at the external site," use the URL of your Panther sign-in page. This is the URL that appears in your browser's URL bar when you log out of your Panther Console.

Configure Okta SAML in Panther

  1. 1.
    Navigate back to the SAML configuration you started earlier in this documentation.
  2. 2.
    Next to Enable SAML, set the toggle to ON.
  3. 3.
    In the Default Role field, choose the Panther role that your new users will be assigned by default when they first log in via SSO.
  4. 4.
    In the Identity Provider URL field, paste the metadata URL from Okta that you obtained in the previous steps of this documentation.
  5. 5.
    Click Save Changes.
To test your setup, go to your Panther sign-in page and click Login with SSO.
The Panther login page displays a "Login with SSO" button at the bottom.