Set Up Single Sign-on
    • 30 Jul 2024
    • 3 Minutes to read
    • PDF

    Set Up Single Sign-on

    • PDF

    Article summary

    Using a single sign-on (SSO) provider is one of the best ways to improve the security of your Red Canary users. Red Canary supports Security Assertion Markup Language (SAML) identity providers for single sign-on.

    You can configure Red Canary to use your identity provider for user logins.

    1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

    2. Follow the setup instructions for your identity provider.

    3. Click Save.

    Mandate single sign-on for users

    You can require all users to log in using single sign-on and disable username/password logins. 

    Ensure your SSO configuration is active and tested before enabling this feature. After making this change, if your identity provider stops working, you will need to submit a Red Canary support case so we can administratively disable this requirement.

    1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

    2. Under Authentication Methods, check Disable username / password login and require login via Single Sign On.

    3. Click Save.

    Automatically create Red Canary accounts for new users

    You can configure Red Canary to automatically provision new users when they sign in for the first time via single sign-on.

    Ensure you have configured your identity provider to only allow the appropriate users access to Red Canary before enabling this option.

    To automatically create Red Canary accounts when users sign in via single sign-on...

    1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

    2. Under User Provisioning, check Automatically create a Red Canary user the first time a user is authenticated.

    3. Choose which role(s) you would like granted to users that are automatically created via single sign-on.

    4. Click Save.

    To re-grant these roles to users when they log in via single sign-on...

    1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

    2. Select Grant these roles on EVERY sign in.

    3. Click Save.

    What SAML attributes does Red Canary support?

    • FirstName

    • LastName

    • email

    How can I troubleshoot single sign-on failures?

    You can use audit logs to troubleshoot configuration failures and unexpected responses from your identity provider or Red Canary.

    To view single sign-on audit logs to troubleshoot failures...

    1. Click your user icon at the top right of your Red Canary, and then click Audit logs.

    2. Click the Filter for audit logs dropdown and choose SSO Login Failure.

      Note: You can also choose Learn more about filtering for audit logs, and select SSO Login Failure.

    Common failure examples and how to resolve them

    Mismatched email attributes

    SAML response was missing email_attribute=[user.mail], had attributes=[["http://schemas.microsoft.com/identity/claims/tenantid", "http://schemas.microsoft.com/identity/claims/objectidentifier", "http://schemas.microsoft.com/identity/claims/identityprovider", "http://schemas.microsoft.com/claims/authnmethodsreferences", "LastName", "FirstName", "Email"]] and name_id=email@company.com

    If you see this, your Identity Provider sent the incorrect email attribute to Red Canary. In this example, Red Canary was expecting user.mail (set in your Red Canary single sign-on configuration), but your Identity Provider sent Email. 

    To resolve this, change the Email Attribute to Email.

    Incorrect Audience URI / SP Entity IDs

    SAML response had errors [["Invalid Audience. The audience https://my.redcanary.co/, did not match the expected audience https://my.redcanary.co"]]

    If you see this, your Identity Provider’s Audience URI / SP Entity ID must match Red Canary exactly. 

    To resolve this, remove the extra forward slash at the end of the domain in your Identity Provider.

    Successful SSO logins with missing roles

    User has no roles on this domain and SSO auto-granting of roles is disabled

    If you see this and new users can’t sign in, single sign-on is working properly but the user has not been granted roles to access the Red Canary subdomain.

    To resolve this, either turn on user provisioning (check Automatically create a Red Canary user the first time a user is authenticated and one or more roles) or manually grant the users the roles they should have via your profile > Users & Roles.

    How does single sign-on affect API usage?

    Single sign-on authentication does not affect API usage since API authentication is handled by an API token.

    How do I log in after disabling single sign-on?

    If you previously logged in via single sign-on and then disable single sign-on (either permanently or temporarily), you can still log in with that account using a username and password. To set your password for the first time, click the Forgot link on the login page.


    Was this article helpful?