Red Canary supports single sign-on (SSO) to any SAML-compliant identity provider. Okta is a commonly used identity provider that you can use to control access to Red Canary.

Setting up single sign-on to Okta

To configure Red Canary to use Okta as your SSO provider:  

• SP = Service Provider = Red Canary
• Identity Provider = Okta

1. Check https://go.my.redcanary.co/account/settings/sso/edit and click on “Download our Service Provider Certificate” (needed for Okta Single Logout)
2. Log into Okta as an administrator and select Applications from the top navigation menu.  
3. From the Applications screen, choose Add Application > Create New App.
4. Select SAML 2.0.
5. Click Create.
   
6. Set the App name to Red Canary.
7. Set the App logo to a Red Canary stamp from https://redcanary.com/brand/#stamp.
8. Click Next.
9. Set Single sign on URL to https://<Subdomain Name>.my.redcanary.co/saml_sp/consume
10. Check Use this for Recipient URL Destination URL.
11. Set Audience URI (SP Entity ID) to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
12. Set Name ID format to EmailAddress.
13. Set Application username to Email.

14. Click on “Show Advanced Settings"

15. Enter the below information (replacing "go" with your Red Canary subdomain name)

16. Next, upload the Certificate downloaded from Red Canary in Step 1

17. Click Download Okta Certificate.
18. Save the Okta application.
19. Click View Setup Instructions:
    
    
20. In Red Canary, click your profile > Single Sign-On in the site navigation.
21. Paste the text contents of the Okta application's X.509 certificate into the Identity Provider X509 Cert field.
22. Set Identity Provider SSO Target URL to the Okta application's Identity Provider Single Sign-On URL.
23. Set Identity Provider SLO Target URL to the Okta Application's Identity Provider Single Logout URL
24. Set Identity Provider Entity ID to the Okta application's Identity Provider Issuer.
25. Set Email Attribute to Email.
26. Check This SSO configuration should be active.
27. Click Save Configuration.

NOTE: If your Okta SSO authentication is failing with the following message: 

You will need to create a custom Attribute Statement.  The Attribute Statements (optional) setting can be found in your Okta > Applications > Applications> General tab.

The Attribute Statement Configuration should look like the following screenshot: 

Once this setting is configured, click NEXT then click FINISH at the bottom of the page to ensure the settings have been applied.  Now test logging into your Red Canary using SSO.  

IMPORTANT: Setting up SAML can occasionally be problematic, so if you have any issues, submit a support case and we’ll jump on a call to debug with you.