QUESTION

If single sign-on (SSO) is enforced in my Cloud Connected Panther instance (i.e., the Enforce Single Sign On (SSO) settings toggle is ON) and our identity provider (like Okta) goes down, how can we quickly regain access to the Panther Console without reaching out to Panther Support?

ANSWER

You can disable enforced SSO yourself using the AWS CLI. This lets you get back into the Panther Console without needing to contact Panther Support.

1. Make sure the awscli tool is installed on your environment.

2. Check that your AWS account has permission to run Lambda functions, specifically the panther-ops-tools.

3. Run the command below:

   aws lambda invoke \                                                                                                                      
     --function-name panther-ops-tools \
     --cli-binary-format raw-in-base64-out \
     --payload '{"disableSsoOnly": {}}' \
     --log-type Tail \
     output.json

This command will disable SSO enforcement, allowing you to log in with username and password credentials. Once your SSO provider is back online, you can re-enable SSO enforcement through the Panther Console.