Red Canary supports single sign-on (SSO) to any SAML-compliant identity provider. Microsoft’s Azure Active Directory is a commonly used identity provider that you can use to control access to Red Canary.

Setting up single sign-on with Azure AD

To configure Red Canary to use Azure AD as your SSO provider:

• Login to your Microsoft Azure AD administration portal.
• Click on the "Enterprise Applications" section.
• Click "+ New Application" on the top menu bar.
• Click on "+ Create your own application" on the top menu bar.
• Enter "Red Canary" in the "What's the name of your app?" field, and select the "Integrate any other application you don't find in the gallery (Non-gallery)" radio button. 
  
• Once the new "Non-gallery" app has been created, you should be redirected to the application's configuration overview page.  Click on "Single Sign-On" and then select the "SAML" tile. 

• You will now be in the application's "Set up Single Sign-On with SAML" configuration page.

Set up Basic SAML Configuration

• Open the Azure AD SSO configuration page and click "Edit" on the "Basic SAML Configuration" section.

• Set Identifier to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
• Set Reply URL to https://<your domain>.my.redcanary.co/saml_sp/consume

(the Basic SAML Configuration should look similar to this)

Configure SAML Attributes

• Click "Edit" on the "Attributes & Claims" section. NOTE:  you MUST provide the LastName, FirstName, and Email claims WITHOUT any "Namespace" specified. 
• NOTE: You will need to delete all of the default Claim entries under the "Additional Claims" section.  Then you will need to create the "FirstName," "LastName," and "Email" Claims.  
  • Set LastName = user.surname
  • Set FirstName = user.givenname
  • Set Email = user.mail
  • Set Unique User Identifier = user.mail 

(the Attributes & Claims edit sections should look like this after you finish entering the new Claims)

(the finalized Attribute & Claims section should look like this)

Download the Base64 Certificate Signature and Copy SAML Service URLs

NOTE: The values for these attributes are specific to your Active Directory configuration and may not match the picture below.

• Download the "Certificate (Base64) from "SAML Signing Certificate" section and convert it to Base64-encoded text.  You will need this text for entry into Red Canary's SSO configuration. 

• Click "View step-by-step instructions" link in the "Set up Red Canary" section.

• In the menu that opens on the right, copy the following AAD Identity Provider information. You will need this information for entry into Red Canary's SSO configuration. NOTE: these values will be different for every Active Directory Identity provider.
  

Finalize the SAML settings in your Red Canary Single Sign-On page

• Open your Red Canary Single Sign-On page (click your profile > Single Sign-On in the site navigation).
• Paste the Base64-encoded signing certificate information you downloaded from SAML Signing Certificate section into the Identity Provider x509 Cert field.
• Paste the SAML Single Sign-On Service URL into the Identity Provider SSO Target URL field.
• Paste the SAML Entity ID into the Identity Provider Entity ID field.
• Paste the Sign-Out URL into the Identity Provider SLO Target URL field.
  • NOTE: Be sure to keep the trailing forward slash at the end of the URL and make sure there is no extra whitespace at the end of the line. 
  • PRO TIP: It's usually a good idea to first paste the line into a text editor (like Notepad on Windows or TextEdit on Mac), then copy and paste the clean, unformatted text into the configuration settings.

• Set Email Attribute to "Email"
  • NOTE: Make sure there are no periods (".") or whitespaces at the end of the text.

         The setting should look like this: 

• Check This SSO configuration should be active.
• Click Save Configuration.

Setting up SAML can occasionally be problematic, so if you have any issues, submit a support case and we’ll jump on a call to debug with you (or check the troubleshooting guide).