Red Canary supports single sign-on (SSO) to any SAML-compliant identity provider. Microsoft’s Azure Active Directory is a commonly used identity provider that you can use to control access to Red Canary.
Setting up single sign-on to Azure AD
To configure Red Canary to use Azure AD as your SSO provider:
- Login to your Microsoft Azure AD administration portal.
- Click on the "Enterprise Applications" section.
- Click "+ New Application" on the top menu bar.
- Click on "+ Create your own application" on the top menu bar.
- Enter "Red Canary" in the "What's the name of your app?" field, and select the "Integrate any other application you don't find in the gallery (Non-gallery)" radio button.
- Once the new "Non-gallery" app has been created, you should be redirected to the application's configuration overview page. Click on "Single Sign-On" and then select the "SAML" tile.
- You will now be in the application's "Set up Single Sign-On with SAML" configuration page.
Set up Basic SAML Configuration
- Open the Azure AD SSO configuration page and click "Edit" on the "Basic SAML Configuration" section.
- Set Identifier to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
- Set Reply URL to https://<your domain>.my.redcanary.co/saml_sp/consume
(the Basic SAML Configuration should look similar to this)
Configure SAML Attributes
- Click "Edit" on the "Attributes & Claims" section. NOTE: you MUST provide the LastName, FirstName, and Email claims WITHOUT any "Namespace" specified.
- NOTE: You will need to delete all of the default Claim entries under the "Additional Claims" section. Then you will need to create the "FirstName," "LastName," and "Email" Claims.
- Set LastName = user.surname
- Set FirstName = user.givenname
- Set Email = user.mail
- Set Unique User Identifier = user.mail
(the Attributes & Claims edit sections should look like this after you finish entering the new Claims)
(the finalized Attribute & Claims section should look like this)
Download the Base64 Certificate Signature and Copy SAML Service URLs
NOTE: The values for these attributes are specific to your Active Directory configuration and may not match the picture below.
- Download the "Certificate (Base64) from "SAML Signing Certificate" section and convert it to Base64-encoded text. You will need this text for entry into Red Canary's SSO configuration.
- Click "View step-by-step instructions" link in the "Set up Red Canary" section.
- In the menu that opens on the right, copy the following AAD Identity Provider information. You will need this information for entry into Red Canary's SSO configuration. NOTE: these values will be different for every Active Directory Identity provider.
Finalize the SAML settings in your Red Canary Single Sign-On page
- Open your Red Canary Single Sign-On page (click your profile > Single Sign-On in the site navigation).
- Paste the Base64-encoded signing certificate information you downloaded from SAML Signing Certificate section into the Identity Provider x509 Cert field.
- Paste the SAML Single Sign-On Service URL into the Identity Provider SSO Target URL field.
- Paste the SAML Entity ID into the Identity Provider Entity ID field.
- Paste the Sign-Out URL into the Identity Provider SLO Target URL field.
- NOTE: Be sure to keep the trailing forward slash at the end of the URL and make sure there is no extra whitespace at the end of the line.
- PRO TIP: It's usually a good idea to first paste the line into a text editor (like Notepad on Windows or TextEdit on Mac), then copy and paste the clean, unformatted text into the configuration settings.
- Set Email Attribute to "Email"
- NOTE: Make sure there are no periods (".") or whitespaces at the end of the text.
The setting should look like this:
- Check This SSO configuration should be active.
- Click Save Configuration.
Setting up SAML can occasionally be problematic, so if you have any issues, submit a support case and we’ll jump on a call to debug with you (or check the troubleshooting guide).