Already have Single Sign-On configured and looking to control user and role provisioning or make Single Sign-On mandatory? Jump to this article to learn more.

Step 1: Create a Duo Application

Go to your Duo Admin dashboard, click Applications, then Protect an Application

Type "service provider" into the search bar and click Protect this Application under SAML - Service Provider.

Step 2: Configure the Duo Application

Configure the Duo Application for Red Canary:

  • Set Service provider name to Red Canary Portal
  • Set Entity ID to the value listed in the Red Canary SSO configuration's Entity / Issuer value
  • Set Assertion Consumer Service to https://<your_domain>
  • Set Service Provider Login URL to https://<your_domain>
  • Set Single Logout URL to
  • Set NameID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress¬†
  • Set NameID Attribute to mail
  • Set SendAttributes to all
  • Ensure Sign Resource and Sign Assertion are both checked
  • Map mail to Email

Save the configuration.

Under the Settings section, set the application's user-visible Name to Red Canary Portal.

Finally, scroll to the top of the application and click Download your configuration file.

Step 3: Configure your Duo Access Gateway

Login to your Duo Access Gateway management interface and navigate to Applications.

Upload the certificate file downloaded in the previous step into the Add Application Configuration file box and click Upload.

After the configuration file has been uploaded scroll to the Metadata section of the page and click Download certificate. Keep this page open for the next step.

Step 4: Configure Red Canary

Head over to your Red Canary portal and navigate to Profile > Single Sign-On. 

  • Paste the certificate you downloaded in the previous step into the Identity Provider x509 Cert field.
  • Set Identity Provider SSO Target URL to the SSO URL from your Duo Access Gateway metadata.
  • Set Identity Provider SLO Target URL to the Logout URL from your Duo Access Gateway metadata.
  • Set Identity Provider Entity ID to the Entity ID from your Duo Access Gateway metadata.
  • Set Email Attribute to Email

Check This SSO configuration should be active and click Save Configuration.

Your users should now see the Red Canary Portal application in their Duo Application Launcher:

That's it! Setting up SAML can be a giant pain in the butt, so if you have any issues, email us at

Did this answer your question?