Red Canary supports single sign-on (SSO) to any SAML-compliant identity provider. Okta is a commonly used identity provider that you can use to control access to Red Canary.
Important: Setting up SAML can occasionally be problematic, so if you have any issues, please submit a support case. For more information, see Getting Help in the Red Canary Help Center.
Set up single sign-on to Okta
To configure Red Canary to use Okta as your SSO provider:
- Service Provider (SP): Red Canary
- Identity Provider (IdP): Okta
- Navigate to https://go.my.redcanary.co/account/settings/sso/edit, and then click Download our Service Provider Certificate. This is required for Okta Single Logout and be used later in this set up.
- Log in to Okta as an administrator, and then click Applications in the navigation menu.
- From the Applications page, click Add Application, then Create New App.
- Select SAML 2.0.
- Click Create.
- Update the App Name to Red Canary.
- Set the App Logo to a Red Canary stamp from https://redcanary.com/brand/#stamp.
- Click Next.
- Set Single sign on URL to
https://[subdomain].my.redcanary.co/saml_sp/consume. Make sure to update
[subdomain]in the URL with your own Red Canary subdomain.
- Select Use this for Recipient URL Destination URL.
- Update Audience URI (SP Entity ID) to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
- Set Name ID format to EmailAddress.
- Set Application username to Okta username.
Click Show Advanced Settings.
Enter the below information. Make sure to update
[go]in the URLs with your own Red Canary subdomain.
- Select Allow application to initiate Single Logout
Update Single Logout URL with the value listed in the Red Canary SSO configuration's Identity Provider SLO Target URL value
Update SP Issuer with the value listed in the Red Canary SSO configuration's Entity/Issuer value
Then, click the Browse button on the right side of the Signature Certificate field and upload the Certificate that was downloaded from Red Canary in the first step. Then, click the Upload Certificate button.
- Go to the Attribute Statements (optional) section.
- Change the following settings:
- Change the Name field to Email,
- Change the Name format (optional) field to Basic,
- Change the Value field to user.email.
- Scroll to the bottom of the page and click Next, then Finish to save the SAML Integration settings.
- Go to the Directory | Profile Editor page, then scroll down to the Attributes section and confirm that:
- The Display Name is set as Username.
- The Variable Name is set as userName.
- The Data type is set as string.
- The Attribute Type set as Base.
- Next, go to the Applications | Applications | Sign On Scroll down to the Credentials Details section. Verify that the Application username format field is set as Okta username.
- Next, click the Update Now button to update and save the settings.
- Save the Okta application.
- Click View Setup Instructions.
- In Red Canary, click your profile icon, then click Single Sign-On.
- Paste the text contents of the Okta application's X.509 certificate into the Identity Provider X509 Cert
- Set Identity Provider SSO Target URL to the Okta application's Identity Provider Single Sign-On URL.
- Set Identity Provider SLO Target URL to the Okta Application's Identity Provider Single Logout URL
- Set Identity Provider Entity ID to the Okta application's Identity Provider Issuer.
- Set Email Attribute to Email
- Select This SSO configuration should be active.
- Click Save Configuration.
Setting up SAML can occasionally be problematic, so if you have any issues, submit a support case and we’ll jump on a call to debug with you (or check the troubleshooting guide).