Red Canary supports single sign-on (SSO) to any SAML-compliant identity provider. Microsoft’s Entra Active Directory is a commonly used identity provider that you can use to control access to Red Canary.
- Login to your Microsoft Entra AD administration portal.
- Click the Enterprise Applications section.
- Click + New Application on the top menu bar.
- Click + Create your own application on the top menu bar.
- In the What's the name of your app? field, enter Red Canary, and then select the Integrate any other application you don't find in the gallery (Non-gallery) radio button.
- Once the new "Non-gallery" app has been created, you should be redirected to the application's configuration overview page.
- Click Single sign-On, and then select the SAML tile.
You will now be in the application's Set up Single Sign-On with SAML configuration page.
Set up basic SAML configuration
- Open the Entra AD SSO configuration page.
- In the Basic SAML Configuration section, click Edit.
- Set Identifier to the value listed in the Red Canary SSO configuration's Entity / Issuer value. To find this value you will need to login to your Red Canary and navigate to the Single Sign-On configuration page. You can get there by clicking on your User Icon (top right of page) and selecting "Single Sign-On."
- Set Reply URL to https://<your domain>.my.redcanary.co/saml_sp/consume. The Basic SAML Configuration should look similar to this:
Configure SAML attributes
- In the Attributes & Claims section, click Edit.
Note: You must provide the LastName, FirstName, and Email claims without any Namespace specified. You will need to delete all of the default Claim entries under the Additional Claims section. Then you must create the FirstName, LastName, and Email Claims.
- Set LastName = user.surname
- Set FirstName = user.givenname
- Set Email = user.mail
- Set Unique User Identifier = user.mail
The finalized Attribute & Claims section should look like this:
Note: Ensure that the email value is populated to the user.mail attribute in your User Profile located in Entra. If not, you will need to map to the correct attribute containing the user's email address.
Download the Base64 Certificate Signature and copy SAML service URLs
Note: The values for these attributes are specific to your Active Directory configuration and may not match those pictured below.
- Download the Certificate (Base64) from SAML Signing Certificate section and convert it to Base64-encoded text. (You will need this text for entry into Red Canary's Single Sign-On configuration in the next section of this procedure.)
Finalize the SAML settings in your Red Canary SSO page
Pro Tip: It's usually a good idea to first paste the line into a text editor (like Notepad on Windows or TextEdit on Mac) and then copy and paste the clean, unformatted text into the configuration settings.
- Click your user icon at the top right of your Red Canary, and then click Single Sign-On.
- Paste the Base64-encoded signing certificate information you downloaded from SAML Signing Certificate section into the Identity Provider x509 Cert (Base64 encoded) field.
- Paste the Login URL from Microsoft Entra into the Identity Provider SSO Target URL field.
- Paste the Azure AD Identifier from Microsoft Entra into the Identity Provider Entity ID field.
- Paste the Logout URL from Microsoft Entra into the Identity Provider SLO Target URL field.
Note: Be sure to keep the trailing forward slash at the end of the URL and make sure there is no extra whitespace at the end of the line.
- Set Email Attribute to Email.
Note: Make sure there are no periods (".") or whitespaces at the end of the text. The setting should look like this:
- Check This SSO configuration should be active (at the top of the page).
- Click Save.