SAML/SSO Integration
Panther can be integrated with SAML providers like OneLogin, Okta, and others to enable users to log in via SSO to the administrative dashboard.

Guides

Follow these step-by-step guides to enable SAML integration with one of the following:

Terminology

  • Identity Provider (IdP): The system that provides authentication credentials, such as OneLogin, Okta, and others
  • Security Assertion Markup Language (SAML): An open standard for exchanging authentication credentials
  • Service Provider (SP): The system that receives authentication credentials. In this case, Panther Enterprise
  • Single Sign-On (SSO): A central hub that allows users to share one login session with multiple services. In this context, synonymous with a SAML IdP

Features

  • SP-initiated login flow: Panther will show a special link on the login page which, when clicked, will redirect to the IdP for login
  • Auto-provisioning: Panther SAML accounts are created on the first login; they do not need to be created in advance
  • Role integration: A single Panther Role of your choice is assigned to SAML users by default, and you can change user roles after their first login
Standard password-based logins are still supported after you enable SAML integration. Users can be created and authorized in either flow.

Limitations

Panther does not support the following:
  • IdP-initiated login flow: Users cannot login from OneLogin or Okta directly, they must navigate to the Panther login page first
  • SCIM: Users deleted from the IdP are not automatically deleted from Panther (they just cannot login anymore)
  • Attribute mapping: Panther roles cannot be assigned via SAML attributes
These limitations stem from Amazon Cognito, the user management service Panther is built on.
Last modified 4d ago