Red Canary supports single sign-on (SSO) to any SAML-compliant identity provider. Okta is a commonly used identity provider that you can use to control access to Red Canary.
Setting up single sign-on to Okta
To configure Red Canary to use Okta as your SSO provider:
- Log into Okta as an administrator and select Applications from the top navigation menu.
- From the Applications screen, choose Add Application > Create New App.
- Select SAML 2.0.
- Click Create.
- Set the App name to Red Canary.
- Set the App logo to a Red Canary stamp from https://redcanary.com/brand/#stamp.
- Click Next.
- Set Single sign on URL to https://<your_domain>.my.redcanary.co/saml_sp/consume
- Check Use this for Recipient URL Destination URL.
- Set Audience URI (SP Entity ID) to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
- Set Name ID format to EmailAddress.
- Set Application username to Email.
- Set Attribute Statements using the format below (note: although the Okta interface indicates that the attribute statements are "optional," they are required for Red Canary):
- Click Download Okta Certificate.
- Save the Okta application.
- Click View Setup Instructions:
- In Red Canary, click your profile > Single Sign-On in the site navigation.
- Paste the text contents of the Okta application's X.509 certificate into the Identity Provider X509 Cert field.
- Set Identity Provider SSO Target URL to the Okta application's Identity Provider Single Sign-On URL.
- Set Identity Provider SLO Target URL to the Okta Application's Identity Provider Single Signout URL.
- Set Identity Provider Entity ID to the Okta application's Identity Provider Issuer.
- Set Email Attribute to Email.
- Check This SSO configuration should be active.
- Click Save Configuration.
Setting up SAML can occasionally be problematic, so if you have any issues, submit a support case and we’ll jump on a call to debug with you (or check the troubleshooting guide).