Red Canary supports single sign-on (SSO) to any SAML-compliant identity provider. Duo is a commonly used identity provider that you can use to control access to Red Canary.
Setting up single sign-on to Duo
To configure Red Canary to use Duo as your SSOprovider:
- Go to your Duo Admin dashboard, click Applications, then Protect an Application.
- Type "service provider" into the search bar and click Protect this Application under SAML - Service Provider.
- Set Service provider name to Red Canary.
- Set Entity ID to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
- Set Assertion Consumer Service to https://<your_domain>.my.redcanary.co/saml_sp/consume
- Set Service Provider Login URL to https://<your_domain>.my.redcanary.co/users/sign_in
- Set Single Logout URL to
- Set NameID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Set NameID Attribute to mail.
- Set SendAttributes to all.
- Ensure Sign Resource and Sign Assertion are both checked.
- Map mail to Email.
- Save the configuration.
- Under the Settings section, set the application's user-visible Name to Red Canary.
- Finally, scroll to the top of the application and click Download your configuration file.
- Login to your Duo Access Gateway management interface and navigate to Applications.
- Upload the certificate file downloaded in the previous step into the Add Application Configuration file box and click Upload.
- After the configuration file has been uploaded scroll to the Metadata section of the page and click Download certificate. Keep this page open for the next step.
- In Red Canary, click your profile > Single Sign-On in the site navigation.
- Paste the certificate you downloaded in the previous step into the Identity Provider x509 Cert field.
- Set Identity Provider SSO Target URL to the SSO URL from your Duo Access Gateway metadata.
- Set Identity Provider SLO Target URL to the Logout URL from your Duo Access Gateway metadata.
- Set Identity Provider Entity ID to the Entity ID from your Duo Access Gateway metadata.
- Set Email Attribute to Email.
- Check This SSO configuration should be active.
- Click Save Configuration.
Your users should now see Red Canary in their Duo Application Launcher:
Setting up SAML can occasionally be problematic, so if you have any issues, submit a support case and we’ll jump on a call to debug with you (or check the troubleshooting guide).