Red Canary supports single sign-on (SSO) to any Security Assertion Markup Language (SAML)-compliant identity provider. Duo is a commonly used identity provider that you can use to control access to Red Canary.
Setting up single sign-on to Duo
- Go to your Duo Admin dashboard, click Applications, and then Protect an Application.
- Type "service provider" into the search bar and click Protect this Application under SAML - Service Provider.
- Set Service provider name to Red Canary.
- Set Entity ID to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
- Set Assertion Consumer Service to https://<your_domain>.my.redcanary.co/saml_sp/consume
- Set Service Provider Login URL to https://<your_domain>.my.redcanary.co/users/sign_in
- Set Single Logout URL to
- Set NameID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Set NameID Attribute to mail.
- Set SendAttributes to all.
- Ensure Sign Resource and Sign Assertion are both checked.
- Map mail to Email.
- Save the configuration.
- Under the Settings section, set the application's user-visible Name to Red Canary.
- Finally, scroll to the top of the application and click Download your configuration file.
- Login to your Duo Access Gateway management interface and navigate to Applications.
- Upload the certificate file downloaded in the previous step into the Add Application Configuration file box and click Upload.
- After the configuration file has been uploaded scroll to the Metadata section of the page and click Download certificate. Keep this page open for the next step.
- Click your user icon at the top right of your Red Canary, and then click Single Sign-On.
- Paste the certificate you downloaded in the previous step into the Identity Provider x509 Cert (Base64 encoded) field.
- Set Identity Provider SSO Target URL to the SSO URL from your Duo Access Gateway metadata.
- Set Identity Provider SLO Target URL to the Logout URL from your Duo Access Gateway metadata.
- Set Identity Provider Entity ID to the Entity ID from your Duo Access Gateway metadata.
- Set Email Attribute to Email.
- Check This SSO configuration should be active.
- Click Save.
Your users should now see Red Canary in their Duo Application Launcher: