Already have Single Sign-On configured and looking to control user and role provisioning or make Single Sign-On mandatory? Jump to this article to learn more.

Step 1: Create an Azure Active Directory (AAD) Application

First, you'll want to create a Non-gallery Enterprise application in AAD to enable service provider SAML single sign-on settings.

Step 2: Configure the Azure Active Directory (AAD) Application

Next, you'll need to fill out the following fields to enable SAML 2.0 SSO to Red Canary. This is the Service Provider configuration on the Identity Provider (AAD) side of the SAML connection.

  • Choose SAML-based Sign-on.
  • Set SAML Version to 2.0.
  • Set Identifier to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
  • Set Reply URL to https://<your domain>
  • Set User Identifier to user.mail
  • Configure SAML Token Attributes. The values for these attributes are specific to your Active Directory configuration and may not match the picture below.

    You MUST provide LastName, FirstName, and Email WITHOUT any "Namespace" specified.
  • Download the SAML signing certificate from AAD and convert the cert to Base64 encoded text for uploading to Red Canary.
  • Click Configure Red Canary Portal

Step 3: Prepare to configure Red Canary

For the next step, you'll need to copy the following AAD Identity Provider information for entry into Red Canary's SSO configuration.  Note that these values will be different for every Active Directory Identity provider.

Step 4: Configure Red Canary

Head over to your Red Canary portal and navigate to Profile > Single Sign-On

  • Paste the Base64 encoded signing certificate information you downloaded from AAD into the Identity Provider x509 Cert field.
  • Paste the SAML Single Sign-On Service URL into the Identity Provider SSO Target URL field.
  • Paste the SAML Entity ID into the Identity Provider Entity ID field.
  • Paste the Sign-Out URL into the Identity Provider SLO Target URL.
  • Create the user attributes in the next three fields to map directly into what you configured inside AAD.  These fields should correlate directly to the SAML Token Attribute Names you configured on the AAD side of the connection. 

Check This SSO configuration should be active and click Save Configuration.

That's it! Setting up SAML can be a giant pain in the butt, so if you have any issues, email us at

Did this answer your question?