- 17 Jul 2025
- 2 Minutes to read
- PDF
Overview of Single Sign-On
- Updated on 17 Jul 2025
- 2 Minutes to read
- PDF
To enhance the security of your organization's Red Canary account, we recommend implementing a Single Sign-On (SSO) provider for user login authentication. While Red Canary is compatible with most Security Assertion Markup Language (SAML)-compliant identity providers, we offer detailed setup instructions for the following providers:
FAQs
What SAML attributes does Red Canary support?
FirstName
LastName
email
How does SSO impact API usage?
SSO authentication does not affect API usage since API authentication is handled by an API token.
How do I log In after disabling SSO?
If you previously logged in via SSO and then disable SSO (either permanently or temporarily), you can still log in with that account using a username and password. To set your password for the first time, click the Forgot link on the login page.
Troubleshooting
You can use audit logs to troubleshoot configuration failures and unexpected responses from your SSO provider or Red Canary:
Click your user icon at the top right of your Red Canary, and then click Audit logs.
Click the Filter for audit logs dropdown and choose SSO Login Failure.
Note: You can also choose Learn more about filtering for audit logs, then select SSO Login Failure.
Problem: Mismatched Email Attributes
SAML response was missing email_attribute=[user.mail], had attributes=[["http://schemas.microsoft.com/identity/claims/tenantid", "http://schemas.microsoft.com/identity/claims/objectidentifier", "http://schemas.microsoft.com/identity/claims/identityprovider", "http://schemas.microsoft.com/claims/authnmethodsreferences", "LastName", "FirstName", "Email"]] and name_id=email@company.com
If you see this, your SSO provider sent the incorrect email attribute to Red Canary. In this example, Red Canary was expecting user.mail (set in your Red Canary SSO configuration), but your SSO provider sent Email.
To resolve this, change the Email Attribute to Email.
Problem: Incorrect Audience URI / SP Entity IDs
SAML response had errors [["Invalid Audience. The audience https://my.redcanary.co/, did not match the expected audience https://my.redcanary.co"]]
If you see this, your SSO provider’s Audience URI / SP Entity ID must match Red Canary exactly.
To resolve this, remove the extra forward slash at the end of the domain in your SSO provider.
Problem: Successful SSO Logins with Missing Roles
User has no roles on this domain and SSO auto-granting of roles is disabled
If you see this and new users can’t sign in, SSO is working properly, but the user has not been granted roles to access the Red Canary subdomain.
To resolve this, either turn on user provisioning (check Automatically create a Red Canary user the first time a user is authenticated and one or more roles) or manually grant the users the roles they should have:
Click your user icon at the top right of your Red Canary platform.
Click Users & Roles.