Skip to main content
Identity providers allow your users to log into Pangolin and Pangolin resources using their existing accounts from external identity systems like Google, Microsoft Azure, or Okta. Instead of creating separate Pangolin accounts, users can authenticate with their familiar work or personal credentials. Here is an example using Microsoft Azure Entra ID as SSO for Pangolin:
This feature is for you if:
  • Your organization already uses an identity provider like Google Workspace, Microsoft Entra ID, Okta, or similar systems
  • You want to centralize user management and avoid maintaining separate Pangolin accounts
  • You need to control who can access Pangolin resources through your existing user directory
  • You want users to access Pangolin using their existing credentials without creating new passwords

Identity Provider Types

Organization Identity Providers

Organization identity providers are configured per organization and only apply to that specific organization. Each org can have its own identity providers, allowing for authentication methods based on the organization’s needs.
Available in Pangolin Cloud and Enterprise. Enterprise users must enable use_org_only_idp in the private config file privateConfig.yml.

Global Identity Providers

Global identity providers are managed at the server level and not the individual organization. They can apply to all or some organizations on the server. This means you must define policies per organization to map users to specific organizations and roles within those organizations.
Global identity providers are the only supported method in Pangolin Community.

Supported Identity Providers

OAuth2/OIDC

This can be used to connect to any external identity provider that supports the OpenID Connect protocol such as:
  • Authentik
  • Keycloak
  • Okta
  • Other OIDC-compliant providers

Google

Google IdP is only available in Pangolin Cloud or Pangolin Enterprise with org identity providers. See above to enable.
Easily set up Google Workspace authentication for your organization. Users can sign in with their Google accounts and access Pangolin resources using their existing Google credentials. Perfect for organizations already using Google Workspace for email, calendar, and other services.

Azure Entra ID

Azure Entra ID IdP is only available in Pangolin Cloud or Pangolin Enterprise with org identity providers. See above to enable.
Integrate with Microsoft’s enterprise identity platform to allow users to authenticate using their Azure Active Directory accounts. Ideal for organizations using Microsoft 365 or other Azure services, providing seamless single sign-on across your Microsoft ecosystem.

How to Add an Identity Provider

When using global IDPs, identity providers are created and managed via the Server Admin UI rather than the organization settings.
1

Navigate to Identity Providers

In the Pangolin organization, select the “Identity Providers” section in the sidebar.
2

Add New Provider

Click on the “Add Identity Provider” button.
3

Select Type

Select the type of identity provider you want to add (OAuth2/OIDC, Google, Azure Entra ID).
4

Set up Auto Provisioning (Optional)

Select the “Auto Provision Users” checkbox to automatically provision users and assign roles in Pangolin when they log in using an external identity provider. See Auto Provision for more information.If this is disabled, you will need to pre-provision a user in Pangolin before they can log in using an external identity provider.
5

Configure Settings

Fill in the required fields for the selected identity provider type.

Custom Login Page

You can configure a custom login page for your organization to be served at a domain of your choice. The log in page for every resource will be served at this URL. Additionally, you can visit this url to log in to the organization itself to access the Pangolin dashboard. This is particularly useful for identity providers because it creates a place for your users to go to select the identity provider of choice to access the Pangolin dashboard.

Auto Provisioning

See Auto Provision for more information on how to automatically provision users and assign orgs and roles in Pangolin when they log in using an external identity provider.