First, deploy Panther Enterprise and go to the General Settings page. Note the values for "Audience" and "ACS URL":
From the Okta admin console, navigate to the Applications tab
Click "Add Application"
Click "Create New App" and configure "Platform: Web" app and "Sign on method: SAML 2.0"
Click "Create" and configure the General Settings however you see fit. We recommend:
Click "Next" and configure section 2A, "SAML Settings", as follows:
The "Single sign on URL" and "Audience URI" were copied from the Panther General Settings page earlier. The "Group Attribute Statements" can be left blank (not shown here). Click "Next" and fill out feedback for Okta, linking to this documentation page if you like. Click "Finish."
Copy the "Identity Provider metadata" link shown on the next screen, under the Settings section of the "Sign On" tab:
This is the "Identity provider URL" you will need to give to Panther.
Finally, be sure to grant access to the appropriate people/groups in the "Assignments" tab.
Amazon Cognito (which powers Panther's user management) does not currently support IdP-initiated logins, meaning you cannot login to Panther directly from Okta. However, you can simulate an IdP-initiated flow with an Okta Bookmark app. With the Bookmark application, end users can click a chiclet in Okta to sign into Panther. To configure a Bookmark app for Panther, follow the instructions in the Okta docs.
From the Panther settings page, enable SAML with a default Panther role of your choice and paste the Okta metadata URL you just copied:
Click "Save" and then you're done! Now, clicking the "Login with SSO" button will redirect you to Okta: