Skip to main content
Last Reviewed: May 01, 2023


Learn how to use secure Single Sign-on with Pantheon.

Single sign-on (SSO) allows you to authenticate against your Identity Provider (IdP) when logging into Pantheon.

Pantheon’s flexible infrastructure does not restrict protocols or ports used for communication. There are also no outbound restrictions for traffic from Pantheon to external services.

Who is Single Sign-on for?

SSO can help organizations centrally manage their users' identities and provide seamless integration across multiple applications. Numerous Pantheon customers use an SSO solution, including:

  • Higher education institutions
  • School districts
  • Local governments
  • Other groups and organizations

How Does SSO Work?

Pantheon uses Security Assertion Markup Language (SAML) for SSO authentication. SAML is an XML-based open standard that transfers identity data between two parties, such as an identity provider (IdP) and a service provider (SP) or web application. SAML streamlines the authentication process by enabling users to access multiple, independent web applications across domains using one set of credentials.


SAML applies to an entire email domain when enabled on Pantheon. You cannot use SAML on a per-site, per-environment, or per-user basis. Refer to Members of an SSO Organization for more information on internal and external members of an SSO organization.

SAML SSO is included for customers with Diamond Accounts and is available for most Pantheon Workspaces. If you'd like to upgrade to an eligible Account, please contact Sales. Agencies interested in SAML SSO should reach out to their Partner Manager for qualification requirements. You must be part of the Pantheon Partner Program to qualify.

More Resources