Knowledge BaseRelease NotesRequest Demo

Okta SSO

Set up Okta SSO to log in to the Panther Console

Overview

Panther supports integrating with Okta as a SAML provider to enable logging in to the Panther Console via SSO.

For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see Identity & Access Integrations.

How to configure SAML SSO to the Panther Console with Okta

Step 1: Obtain the Okta SSO parameters from Panther

  1. Log in to the Panther Console.

  2. In the upper-right corner, click the gear icon, and then click General.

  3. Navigate to the Identity & Access tab.

  4. Next to Enable SAML (Security Assertion Markup Language), set the toggle to ON.

  5. (Optional) If using IdP-initiated login, set the Use IdP-Initiated Single Sign On (SSO) toggle to ON.

  6. Copy the the Audience and ACS Consumer URL values and store them in a secure location. You will need them in the following steps.

    • If using IdP-initiated login, also copy the Relay State value.

It's recommended to use SP-initiated login, as it is generally considered more secure than IdP-initiated login.

In the Settings section of the Panther Console, within the Identity & Access tab, various fields like "Enable SAML", "Audience" and "ACS Consumer URL" are shown

Step 2: Create the Panther application in Okta

  1. Log in to your Okta administrative console.

  2. In the left-hand navigation bar, click on Applications, and then click Create App Integration.

  3. Within the "Create a new app integration" screen, select SAML 2.0 as your "Sign-in method":

  4. Click Next.

  5. Configure the general settings:

    • App name: Add a memorable name such as "Panther Console."

    • App logo: Upload a Panther logo to help users quickly identify this app.

    • App visibility: Configure the visibility of this application for your users.

  6. Click Next.

  7. In the SAML Settings section, configure the following under General:

    • Single sign-on URL: Paste the ACS Consumer URL value you obtained in the Panther Console in Step 1.

    • Audience URI (SP Entity ID): Paste the Audience value you obtained in the Panther Console in Step 1.

    • (Optional) Default RelayState: If using IdP-initiated login, paste the Relay State value you copied from the Panther Console in Step 1. If using SP-initiated login, leave this value blank.

    "SAML Settings" section in the Okta Console with various fields like "Single sign-on URL" and "Audience URI"

  8. Scroll down to the Attribute Statements section. Configure the following attributes:

    • Name: PantherEmail, Value: user.email

    • Name: PantherFirstName, Value: user.firstName

    • Name: PantherLastName, Value: user.lastName

    Attribute statements in Okta with three Panther defined attributes added

  9. The Group Attribute statements can be left blank. Click Next.

  10. Click Finish.

  11. In the Settings section, copy the Metadata URL. This value will be needed in Step 3.

    Settings page for an Okta application with a red box around "Metadata details"

  12. You can now grant access to the appropriate users and groups in the Assignments tab.

Step 3: Configure Okta SAML in Panther

  1. Navigate back to the Identity & Access section in the Panther Console from Step 1. In the Default Role field, choose the Panther role that your new users will be assigned by default when they first log in via SSO.

    Panther highly recommends not setting this value to Admin.

  2. Paste the Metadata URL value you copied at the end of Step 2 into the Identity Provider URL field.

  3. Click Save Changes.

To test your setup, go to your Panther sign-in page and click Login with SSO.

The Panther login page displays a "Login with SSO" button at the bottom.

Step 4 (For SP-Initiated SSO): Create a Panther Bookmark app in Okta

Service Provider (SP) initiated SSO provides a more secure alternative to IdP-initiated SSO. Okta app tiles cannot be used directly for SP-initiated login. Instead, use Okta Bookmark Apps to provide users with a seamless login experience.

If you created a Panther application tile in Okta, hide it to prevent user confusion with the Bookmark app. See the Okta documentation for instructions on hiding applications.

  • To configure a Bookmark app for Panther, follow the instructions in the Okta documentation: Simulate an IdP-initiated flow with the Bookmark App.

    • When you're asked to enter "the URL for your domain at the external site," use the URL of your Panther sign-in page. This is the URL that appears in your browser's URL bar when you log out of your Panther Console.

PreviousG Suite SSONextOkta SCIM

Last updated

Was this helpful?