Identity & Access Integrations
Panther can be integrated with various SAML providers to allow users to log in to the Panther Console via Single Sign-On (SSO). Once an SSO provider has been configured, it can optionally be enforced for all users of your instance.
Guides
Follow these step-by-step guides to configure a SAML integration with one of the following identity providers (IdP):
Terminology
Identity Provider (IdP): The system that provides authentication credentials, such as OneLogin, Okta, and others.
Service Provider (SP): The system that receives authentication credentials. In this case, Panther.
Security Assertion Markup Language (SAML): An open standard for exchanging authentication credentials.
Single Sign-On (SSO): A central hub that allows users to share one login session with multiple services. In this context, synonymous with a SAML IdP.
Features
SP-initiated login flow: Panther will show a special link on the login page which, when clicked, will redirect to the IdP for login
IdP-initiated login flow: Users can login from the IdP directly
Auto-provisioning: Panther SAML accounts are created on the first login; they do not need to be created in advance
Role integration: A single Panther Role of your choice is assigned to SAML users by default, and you can change user roles after their first login
Enforce Single Sign-On: SSO can be enforced for your instance of Panther.
Standard password-based logins are still supported after you enable SAML integration. Users can be created and authorized in either flow.
Limitations
Panther does not support the following:
SCIM: Users deleted from the IdP are not automatically deleted from Panther (they just cannot login anymore)
Attribute mapping: Panther roles cannot be assigned via SAML attributes
These limitations stem from Amazon Cognito, the user management service Panther is built on.
IdP-initiated vs. SP-initiated login
Panther supports both IdP-initiated and SP-initiated login flows.
SP-initiated login (recommended)
In SP-initiated login, users start the authentication process from Panther's login page. When a user clicks Login with SSO, Panther redirects them to your IdP for authentication, then returns them to Panther after successful login.
SP-initiated login is generally considered more secure because it protects against login CSRF attacks by maintaining state throughout the authentication process.
IdP-initiated login
In IdP-initiated login, users start from your IdP's portal or dashboard and click a link to access Panther directly. This can be convenient for users who access multiple applications from a central portal.
How to enforce SSO
Enforcing SSO means users of your Panther instance will be required to log in using the configured SAML provider. Users will no longer be able to log in with username and password credentials.
Note the following prerequisites for enforcing SSO:
A SAML integration must be successfully set up.
Only users with the Admin role may perform this action.
To enforce SSO for your Panther instance:
Log into your Panther Console.
Click the gear icon in the upper right corner > General > Identity & Access.
Toggle Enforce Single Sign On (SSO) to ON.
Click Save Changes.
Enforced SSO break glass
Only users with the Admin role can enforce or disable SSO. If SSO is enforced and you'd like to disable it (e.g., if there's an issue with your SSO integration), but none of your instance's users have the Admin role assigned, please reach out to your Panther support team.
After Panther support disables the Enforce Single Sign On setting, you can log in with username and password credentials, then toggle Enforce Single Sign On back on when you're ready.
Last updated
Was this helpful?