Red Canary supports single sign-on (SSO) to any SAML-compliant identity provider. Okta is a commonly used identity provider that you can use to control access to Red Canary.

Setting up single sign-on to Okta

To configure Red Canary to use Okta as your SSO provider:

1. Log into Okta as an administrator and select Applications from the top navigation menu.  
2. From the Applications screen, choose Add Application > Create New App.
3. Select SAML 2.0.
4. Click Create.
   
5. Set the App name to Red Canary.
6. Set the App logo to a Red Canary stamp from https://redcanary.com/brand/#stamp.
7. Click Next.
8. Set Single sign on URL to https://<your_domain>.my.redcanary.co/saml_sp/consume 
9. Check Use this for Recipient URL Destination URL.
10. Set Audience URI (SP Entity ID) to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
11. Set Name ID format to EmailAddress.
12. Set Application username to Email.
13. Set Attribute Statements using the format below (note: although the Okta interface indicates that the attribute statements are "optional," they are required for Red Canary):
    
14. Click Download Okta Certificate.
15. Save the Okta application.
16. Click View Setup Instructions:
    
    
17. In Red Canary, click your profile > Single Sign-On in the site navigation.
18. Paste the text contents of the Okta application's X.509 certificate into the Identity Provider X509 Cert field.
19. Set Identity Provider SSO Target URL to the Okta application's Identity Provider Single Sign-On URL.
20. Set Identity Provider SLO Target URL to the Okta Application's Identity Provider Single Signout URL.
21. Set Identity Provider Entity ID to the Okta application's Identity Provider Issuer.
22. Set Email Attribute to Email.
23. Check This SSO configuration should be active.
24. Click Save Configuration.

Setting up SAML can occasionally be problematic, so if you have any issues, submit a support case and we’ll jump on a call to debug with you (or check the troubleshooting guide).