Red Canary supports single sign-on (SSO) to any Security Assertion Markup Language (SAML)-compliant identity provider. Okta is a commonly used identity provider that you can use to control access to Red Canary.

Important: Setting up SAML can occasionally be problematic, so if you have any issues, please submit a support case. For more information, see Getting Help in the Red Canary Help Center.

The steps begin in Okta and are completed in Red Canary.

Steps in Okta

• • • Service Provider (SP): Red Canary
    • Identity Provider (IdP): Okta

1. Navigate to Account Settings, and then click Download our Service Provider Certificate. This is required for Okta Single Logout and will be used later in this setup.
2. Log in to Okta as an administrator, and then click Applications in the navigation menu.  
3. From the Applications page, click Add Application, then Create New App.
4. Select SAML 2.0.
5. Click Create.
   
   
6. Update the App Name to Red Canary.
7. Set the App Logo to a Red Canary stamp from https://redcanary.com/brand/#stamp.
8. Click Next.
9. Set Single sign-on URL to https://[subdomain].my.redcanary.co/saml_sp/consume.
   Always update [subdomain] in the URL with your own Red Canary subdomain.
10. Select Use this for Recipient URL Destination URL.
11. Update Audience URI (SP Entity ID) to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
12. Set Name ID format to EmailAddress.
13. Set Application username to Okta username.
14. Click Show Advanced Settings.
15. Enter the below information. Make sure to update [go] in the URLs with your own Red Canary subdomain.
• Select Allow application to initiate Single Logout
• Update Single Logout URL with the value listed in the Red Canary SSO configuration's Identity Provider SLO Target URL value
• Update SP Issuer with the value listed in the Red Canary SSO configuration's Entity/Issuer value
  
  
16. Click the Browse button on the right side of the Signature Certificate field and upload the Certificate downloaded from Red Canary in the first step. Then, click the Upload Certificate button.
17. Go to the Attribute Statements (optional) section.
18. Change the following settings:
• Change the Name field to Email
• Change the Name format (optional) field to Basic
• Change the Value field to user.email
  
  
19. Scroll to the bottom of the page and click Next, then Finish to save the SAML Integration settings.
20. Go to the Directory | Profile Editor page, then scroll down to the Attributes section and confirm that:
• The Display Name is set as Username
• The Variable Name is set as userName
• The Data type is set as string
• The Attribute Type set as Base
  
  
21. Next, go to the Applications | Applications | Sign On. Scroll down to the Credentials Details section. Verify that the Application username format field is set as Okta username.
22. Click the Update Now button to update and save the settings.
    
    
23. Save the Okta application.
24. Click View Setup Instructions.
    
    

Steps in Red Canary

1. Click your user profile at top right of your Red Canary, and then click Single Sign-On.
2. Paste the text contents of the Okta application's X.509 certificate into the Identity Provider X509 Cert (Base64 encoded).
3. Set the Identity Provider SSO Target URL to the Okta application's Identity Provider Single Sign-On URL.
4. Set Identity Provider SLO Target URL to the Okta Application's Identity Provider Single Logout URL.
5. Set Identity Provider Entity ID to the Okta application's Identity Provider Issuer.
6. Set Email Attribute to Email.
7. Select This SSO configuration should be active.
8. Click Save.