# Okta SSO

## Overview

Panther supports integrating with Okta as a SAML provider to enable logging in to the Panther Console via SSO.

For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see [Identity & Access Integrations](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/system-configuration/saml).

## How to configure SAML SSO to the Panther Console with Okta

### Obtain the Okta SSO parameters from Panther

1. Log in to the Panther Console.
2. Click the gear icon in the upper right. In the dropdown menu, click **General**.
3. Click the **Identity & Access** tab.

Keep this browser window open, as you will need the **Audience** and **ACS URL** values in the next steps.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FHnI9usRzdr41TwMmqfwe%2FScreenshot%202023-06-16%20at%202.47.34%20PM.png?alt=media&#x26;token=c70a418d-b38a-43f5-901b-c642e82f29c2" alt="In the General settings page in the Panther Console, the Identity &#x26; Access tab is shown. Various fields are visible, such as Enable SAML, Enforce Single Sign On, Default Role, Identity provider URL, Audience and ACS Consumer URL."><figcaption></figcaption></figure>

### Create the Okta App

1. Log in to your Okta administrative console.
2. &#x20;Click the **Applications** tab, then click **Create App Integration**.

   ![The image shows the Okta admin console. There is an arrow pointing to the Applications link in the left sidebar. In the middle of the page, there is a red circle around a button labeled Create App Integration.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FdX6Uh55kwnaaedGKY8K8%2FScreen%20Shot%202022-06-24%20at%2010.52.46%20AM.png?alt=media\&token=6ef0f084-10f6-4ab0-a3ef-11fb947d692d)
3. Within the "Create a new app integration" modal, fill in the form to configure the new app:
   * **Sign on Method**: Select SAML 2.0\
     ![In the Okta admin console, on the "Create a new app integration" page, SAML 2.0 is selected.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FwPOXhUXrcXxMDkNCrQOU%2Fimage.png?alt=media\&token=f6eca79e-4d25-45c2-a9dc-e3c2fed85146)
4. Click **Next**.
5. Configure the general settings:
   * **App name**: Add a memorable name such as "Panther Console."&#x20;
   * **App logo**: Upload a Panther logo to help users quickly identify this app.
   * **App visibility**: Configure the visibility of this application for your users.
6. Click **Next**.&#x20;
7. In the *SAML Settings* section, configure the following under **General**:

   * **Single sign on URL**: Enter the **ACS URL** you copied from the Panther Console in earlier steps of this documentation.
   * **Audience**: Enter the **Audience** you copied from the Panther Console in earlier steps of this documentation.

   ![In the Okta admin console's "Create SAML Integration" process, the "Configure SAML" tab is open. There is a form on the screen to configure your SAML settings.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FKSIMG6wNIDbjYPGbAm5s%2Fimage.png?alt=media\&token=7ca89454-ba94-49c8-bd72-fad33ec104e0)
8. Configure the following under **Attribute Statements**:
   * **Name**: `PantherEmail`, **Value**: `user.email`
   * **Name**: `PantherFirstName`, **Value**: `user.firstName`
   * **Name**: `PantherLastName`, **Value**: `user.lastName`\
     ![In the image, the "Attribute statements" from the Okta admin console is filled in with the values listed above.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2F1GdBTp4OKTY4x1oiZS6Z%2Fimage.png?alt=media\&token=ea77550b-f73b-4635-9417-25b16fd2820e)
9. The Group Attribute statements can be left blank. Click **Next**.
10. Click **Finish**.
11. On the next screen, navigate to **SAML Setup** along the right-hand side of the screen.

    ![In the image, the SAML Signing Certificate page in the Okta admin console is displayed. On the right side, there is a red circle around the SAML Setup information.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FYPUcUtVDoKmKhwb5NSOp%2FScreen%20Shot%202022-06-24%20at%2011.12.08%20AM.png?alt=media\&token=d88fadb5-468b-49bf-998f-f2ce192fb228)
12. Click **View SAML setup instructions** which will open up a new browser tab.
13. Copy the **Identity Provider Single Sign-On URL**. Okta displays the URL in one of the following formats:

    * `https://[OKTA_ACCT].okta.com/app/[OKTA_APP_STR]/[APP_ID]/sso/saml`
    * `https://okta.[OKTA_ACCT].com/app/[OKTA_APP_STR]/[APP_ID]/sso/saml`

    Adjust the URL as follows in order to use it with Panther. If your domain matches the first pattern above, use the first option here; if your domain matches the second pattern above, use the second one here:

    * `https://[OKTA_ACCT].okta.com/app/[APP_ID]/sso/saml/metadata`
    * `https://okta.[OKTA_ACCT].com/app/[APP_ID]/sso/saml/metadata`

    Copy this URL as you will need it in the following steps.
14. Grant access to the appropriate users and groups in the **Assignments tab**.

### Create an Okta Bookmark app

Amazon Cognito, which powers Panther's user management, does not support IdP-initiated logins. However, you can simulate an IdP-initiated flow with an Okta Bookmark app, which will allow users to click a tile in Okta to sign in to Panther.&#x20;

To configure a Bookmark app for Panther:

* Follow the instructions in the Okta Help Center: [Simulate an IdP-initiated flow with the Bookmark App](https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Bookmark_App.htm).&#x20;
  * When you're asked to enter "the URL for your domain at the external site," use the URL of your Panther sign-in page. This is the URL that appears in your browser's URL bar when you log out of your Panther Console.

### Configure Okta SAML in Panther

1. Navigate back to the [SAML configuration](#obtain-the-g-suite-sso-parameters-from-panther) you started earlier in this documentation.
2. Next to **Enable SAML**, set the toggle to **ON**.&#x20;
3. In the **Default Role** field, choose the Panther role that your new users will be assigned by default when they first log in via SSO.
4. In the **Identity Provider URL** field, paste the metadata URL from Okta that you obtained in the previous steps of this documentation.
5. Click **Save Changes**.

To test your setup, go to your Panther sign-in page and click **Login with SSO**.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LgdiSWdyJcXPahGi9Rs%2Fsync%2F5e5aa7beb6e3547f6c0d323432359430390a0067.png?generation=1595575925999900&#x26;alt=media" alt="The Panther login page displays a &#x22;Login with SSO&#x22; button at the bottom."><figcaption></figcaption></figure>