Red Canary supports single sign-on (SSO) to any SAML-compliant identity provider. Duo is a commonly used identity provider that you can use to control access to Red Canary.

Setting up single sign-on to Duo

To configure Red Canary to use Duo as your SSOprovider:

1. Go to your Duo Admin dashboard, click Applications, then Protect an Application.
   
   
2. Type "service provider" into the search bar and click Protect this Application under SAML - Service Provider.
3. Set Service provider name to Red Canary.
4. Set Entity ID to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
5. Set Assertion Consumer Service to https://<your_domain>.my.redcanary.co/saml_sp/consume
6. Set Service Provider Login URL to https://<your_domain>.my.redcanary.co/users/sign_in
7. Set Single Logout URL to
   https://<your_domain>.my.redcanary.co/users/logout
8. Set NameID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 
9. Set NameID Attribute to mail.
10. Set SendAttributes to all.
11. Ensure Sign Resource and Sign Assertion are both checked.
12. Map mail to Email.
    
    
13. Save the configuration.
14. Under the Settings section, set the application's user-visible Name to Red Canary.
15. Finally, scroll to the top of the application and click Download your configuration file.
16. Login to your Duo Access Gateway management interface and navigate to Applications.
17. Upload the certificate file downloaded in the previous step into the Add Application Configuration file box and click Upload.
    
    
18. After the configuration file has been uploaded scroll to the Metadata section of the page and click Download certificate. Keep this page open for the next step.
    
19. In Red Canary, click your profile > Single Sign-On in the site navigation.
20. Paste the certificate you downloaded in the previous step into the Identity Provider x509 Cert field.
21. Set Identity Provider SSO Target URL to the SSO URL from your Duo Access Gateway metadata.
22. Set Identity Provider SLO Target URL to the Logout URL from your Duo Access Gateway metadata.
23. Set Identity Provider Entity ID to the Entity ID from your Duo Access Gateway metadata.
24. Set Email Attribute to Email.
25. Check This SSO configuration should be active.
26. Click Save Configuration.

Your users should now see Red Canary in their Duo Application Launcher:

Setting up SAML can occasionally be problematic, so if you have any issues, submit a support case and we’ll jump on a call to debug with you (or check the troubleshooting guide).