Single Sign-on (SSO)

SSO allows your organization to utilize it's internal authentication tool to authenticate with and login to Panopta. This guide will walk you through integrating with a generic SSO provider, such as Simple SAML. You can also find docs specifically for ADFS and Okta.

Control Panel Configuration

Navigate to the Integrations page by selecting Settings from the global navigation bar, followed by selecting Integrations. Here, you will find a Single Sign On section. Select configure on the SAML card.

General

URL Fragment

Customer-provided string that will determine the login URL for your Panopta account, the format of my.panopta.com/sso/{url fragment}

For example, if you were to enter panopta, your login URL would be my.panopta.com/sso/panopta. Alpha characters only.

Username

Field in your SAML payload that matches a user's Panopta login email. This is email for most customers.

EntityID

URL that provides your IDP metadata

Login URL

The URL we redirect the user to when the user arrives at your Panopta SSO login.

For instance, if a user visits your Panopta SSO URL which is built is the the URL Fragment configured in step 1, the Login URL is the address we would then redirect them to where they authenticate with your SSO tool

Login Binding

This is a colon separated sequence of strings. For example, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. It is generated by your SSO tool.

Logout URL (optional)

URL to redirect the user upon logout request.

Logout Binding

This is a colon separated sequence of strings. For example, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. It is generated by your SSO tool.

Certificate

A valid x509 certificate. Ensure it is copied with out extra whitespace

User Configuration

Auto Create Users

Leave this box unchecked if you want to require admin approval before a user can use Panopta. Once a user logs in for the first time, those selected in the User Emails select list will receive a notification email. They can follow the link in the email to grant the new user access. Until they do this, the user will not be able to access Panopta - they will merely see a splash screen when they login.

You can view all users who are waiting for approval under the "Pending" users tab on the Users and Groups page.

If you prefer to let users immediately begin using Panopta upon login, check this box.

Default Roles

If you're automatically creating the user the first time they login via your SSO integration, they can optionally be assigned any number of roles by default.

SSO-based Roles

If you're sending your internal roles in your SAML payload, you can map those to specific roles in Panopta.

  • In the SAML Role Field provide the payload key that corresponds to your internal roles in your SAML payload.
  • In the SAML Role, enter the internal role you'd like to target. Please only enter one role
  • In the Panopta roles to assign dropdown, select the roles you'd like the user to have in Panopta

You can create as many mappings as needed.

Mixing Login Types

Sometimes it is valuable to allow non-SSO users to still login to your company's Panopta account - especially if you leverage outside resources. To allow certain users to still login via email and password, check the "Allow Non-SSO Login" checkbox. This option can be found by editing the user - go to Settings -> Users & Groups, then edit the desired user. The option is on the first pane.