Overview of Single Sign-On
    • 17 Jul 2025
    • 2 Minutes to read
    • PDF

    Overview of Single Sign-On

    • PDF

    Article summary

    To enhance the security of your organization's Red Canary account, we recommend implementing a Single Sign-On (SSO) provider for user login authentication. While Red Canary is compatible with most Security Assertion Markup Language (SAML)-compliant identity providers, we offer detailed setup instructions for the following providers:

    FAQs

    What SAML attributes does Red Canary support?

    • FirstName

    • LastName

    • email

    How does SSO impact API usage?

    SSO authentication does not affect API usage since API authentication is handled by an API token.

    How do I log In after disabling SSO?

    If you previously logged in via SSO and then disable SSO (either permanently or temporarily), you can still log in with that account using a username and password. To set your password for the first time, click the Forgot link on the login page.

    Troubleshooting

    You can use audit logs to troubleshoot configuration failures and unexpected responses from your SSO provider or Red Canary:

    1. Click your user icon at the top right of your Red Canary, and then click Audit logs.

    2. Click the Filter for audit logs dropdown and choose SSO Login Failure.

      Note: You can also choose Learn more about filtering for audit logs, then select SSO Login Failure.

    Problem: Mismatched Email Attributes

    SAML response was missing email_attribute=[user.mail], had attributes=[["http://schemas.microsoft.com/identity/claims/tenantid", "http://schemas.microsoft.com/identity/claims/objectidentifier", "http://schemas.microsoft.com/identity/claims/identityprovider", "http://schemas.microsoft.com/claims/authnmethodsreferences", "LastName", "FirstName", "Email"]] and name_id=email@company.com

    If you see this, your SSO provider sent the incorrect email attribute to Red Canary. In this example, Red Canary was expecting user.mail (set in your Red Canary SSO configuration), but your SSO provider sent Email.

    To resolve this, change the Email Attribute to Email.

    Problem: Incorrect Audience URI / SP Entity IDs

    SAML response had errors [["Invalid Audience. The audience https://my.redcanary.co/, did not match the expected audience https://my.redcanary.co"]]

    If you see this, your SSO provider’s Audience URI / SP Entity ID must match Red Canary exactly.

    To resolve this, remove the extra forward slash at the end of the domain in your SSO provider.

    Problem: Successful SSO Logins with Missing Roles

    User has no roles on this domain and SSO auto-granting of roles is disabled

    If you see this and new users can’t sign in, SSO is working properly, but the user has not been granted roles to access the Red Canary subdomain.

    To resolve this, either turn on user provisioning (check Automatically create a Red Canary user the first time a user is authenticated and one or more roles) or manually grant the users the roles they should have:

    1. Click your user icon at the top right of your Red Canary platform.

    2. Click Users & Roles.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.