QUESTION

After integrating Panther with SSO, I can see that Panther has created a separate user to track the SSO login alongside the existing password-based (credentialed) login. Is there a way to merge these users?

ANSWER

This is expected behaviour. Panther treats SSO and password-based accounts as separate identities under the hood (via AWS Cognito), they cannot be merged into a single account.

To clean up the duplicate, you can delete the password-based user by navigating with an admin account to Settings > Users. However, note that it is not possible to delete all non-SAML user accounts in Panther, Panther requires at least one admin-level non-SAML user to be retained, in order to prevent a complete lockout in the event of an SSO misconfiguration.

To prevent password-based logins going forward, you can enable "Enforce SSO" under Settings > General.