Red Canary supports single sign-on (SSO) to any Security Assertion Markup Language (SAML)-compliant identity provider. Okta is a commonly used identity provider that you can use to control access to Red Canary.
Important: Setting up SAML can occasionally be problematic, so if you have any issues, please submit a support case. For more information, see Getting Help in the Red Canary Help Center.
The steps begin in Okta and are completed in Red Canary.
Steps in Okta
- Service Provider (SP): Red Canary
- Identity Provider (IdP): Okta
- Navigate to Account Settings, and then click Download our Service Provider Certificate. This is required for Okta Single Logout and will be used later in this setup.
- Log in to Okta as an administrator, and then click Applications in the navigation menu.
- From the Applications page, click Add Application, then Create New App.
- Select SAML 2.0.
- Click Create.
- Update the App Name to Red Canary.
- Set the App Logo to a Red Canary stamp from https://redcanary.com/brand/#stamp.
- Click Next.
- Set Single sign-on URL to
[subdomain]in the URL with your own Red Canary subdomain.
- Select Use this for Recipient URL Destination URL.
- Update Audience URI (SP Entity ID) to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
- Set Name ID format to EmailAddress.
- Set Application username to Okta username.
- Click Show Advanced Settings.
- Enter the below information. Make sure to update
[go]in the URLs with your own Red Canary subdomain.
- Select Allow application to initiate Single Logout
- Update Single Logout URL with the value listed in the Red Canary SSO configuration's Identity Provider SLO Target URL value
- Update SP Issuer with the value listed in the Red Canary SSO configuration's Entity/Issuer value
- Change the Name field to Email
- Change the Name format (optional) field to Basic
- Change the Value field to user.email
- The Display Name is set as Username
- The Variable Name is set as userName
- The Data type is set as string
- The Attribute Type set as Base
Steps in Red Canary
- Click your user profile at top right of your Red Canary, and then click Single Sign-On.
- Paste the text contents of the Okta application's X.509 certificate into the Identity Provider X509 Cert (Base64 encoded).
- Set the Identity Provider SSO Target URL to the Okta application's Identity Provider Single Sign-On URL.
- Set Identity Provider SLO Target URL to the Okta Application's Identity Provider Single Logout URL.
- Set Identity Provider Entity ID to the Okta application's Identity Provider Issuer.
- Set Email Attribute to Email.
- Select This SSO configuration should be active.
- Click Save.