Set up single sign-on to Ping Identity

Red Canary supports single sign-on (SSO) to any Security Assertion Markup Language (SAML)-compliant identity provider. PingOne is a commonly used identity provider that you can use to control access to Red Canary.

1. Log into https://admin.pingone.com with your administrative account.  
2. Navigate to the applications section and click Add Application > New SAML Application.  
3. Set the Application Name to Red Canary.
4. Set the Application Description and Category as you wish.
5. Set the Application Icon to a Red Canary stamp from https://redcanary.com/brand/#stamp.
6. Click Continue to Next Step.
   
7. Set Assertion Consumer Service (ACS) to https://<your_domain>.my.redcanary.co/saml_sp/consume.
8. Set Entity ID to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
9. Upload Red Canary's SAML signing certificate as the Primary Verification Certificate. Download the certificate here.
   
10. Click Continue to Next Step.
11. Map the Email Application Attribute to the Email Identity Bridge Attribute.
    
12. Click Save and Publish.
13. Download your SAML Metadata. This file contains your Entity ID, Identity Provider SLO Target URL, and Identity Provider X509 signing certificate. 
14. Click your user icon at the top right of your Red Canary, and then click Single Sign-on.
15. Convert the Identity Provider X509 signing certificate you downloaded to Base64 and paste the text contents into the Identity Provider X509 Cert (Base64 encoded) field.
16. Set Identity Provider SSO Target URL to the PingOne application's Initiate Single Sign-On (SSO) URL.
17. Set Identify Provider SLO Target URL to https://sso.connect.pingidentity.com/sso/SLO.saml2.
18. Set Identity Provider Entity ID to the https://pingone.com/idp/<customer>.
19. Set Email Attribute to Email.
20. Check This SSO configuration should be active (found at the top of the page).
21. Click Save.