Login
      Contents x
      Set Up Single Sign-on
      • 30 Jul 2024
      • 3 Minutes to read
      • PDF
      Contents

      Set Up Single Sign-on

      • Updated on 30 Jul 2024
      • 3 Minutes to read
      • PDF
      Article summary

      Using a single sign-on (SSO) provider is one of the best ways to improve the security of your Red Canary users. Red Canary supports Security Assertion Markup Language (SAML) identity providers for single sign-on.

      You can configure Red Canary to use your identity provider for user logins.

      1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

      2. Follow the setup instructions for your identity provider.

      3. Click Save.

      Mandate single sign-on for users

      You can require all users to log in using single sign-on and disable username/password logins. 

      Ensure your SSO configuration is active and tested before enabling this feature. After making this change, if your identity provider stops working, you will need to submit a Red Canary support case so we can administratively disable this requirement.

      1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

      2. Under Authentication Methods, check Disable username / password login and require login via Single Sign On.

      3. Click Save.

      Automatically create Red Canary accounts for new users

      You can configure Red Canary to automatically provision new users when they sign in for the first time via single sign-on.

      Ensure you have configured your identity provider to only allow the appropriate users access to Red Canary before enabling this option.

      To automatically create Red Canary accounts when users sign in via single sign-on...

      1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

      2. Under User Provisioning, check Automatically create a Red Canary user the first time a user is authenticated.

      3. Choose which role(s) you would like granted to users that are automatically created via single sign-on.

      4. Click Save.

      To re-grant these roles to users when they log in via single sign-on...

      1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

      2. Select Grant these roles on EVERY sign in.

      3. Click Save.

      What SAML attributes does Red Canary support?

      • FirstName

      • LastName

      • email

      How can I troubleshoot single sign-on failures?

      You can use audit logs to troubleshoot configuration failures and unexpected responses from your identity provider or Red Canary.

      To view single sign-on audit logs to troubleshoot failures...

      1. Click your user icon at the top right of your Red Canary, and then click Audit logs.

      2. Click the Filter for audit logs dropdown and choose SSO Login Failure.

        Note: You can also choose Learn more about filtering for audit logs, and select SSO Login Failure.

      Common failure examples and how to resolve them

      Mismatched email attributes

      SAML response was missing email_attribute=[user.mail], had attributes=[["http://schemas.microsoft.com/identity/claims/tenantid", "http://schemas.microsoft.com/identity/claims/objectidentifier", "http://schemas.microsoft.com/identity/claims/identityprovider", "http://schemas.microsoft.com/claims/authnmethodsreferences", "LastName", "FirstName", "Email"]] and name_id=email@company.com

      If you see this, your Identity Provider sent the incorrect email attribute to Red Canary. In this example, Red Canary was expecting user.mail (set in your Red Canary single sign-on configuration), but your Identity Provider sent Email. 

      To resolve this, change the Email Attribute to Email.

      Incorrect Audience URI / SP Entity IDs

      SAML response had errors [["Invalid Audience. The audience https://my.redcanary.co/, did not match the expected audience https://my.redcanary.co"]]

      If you see this, your Identity Provider’s Audience URI / SP Entity ID must match Red Canary exactly. 

      To resolve this, remove the extra forward slash at the end of the domain in your Identity Provider.

      Successful SSO logins with missing roles

      User has no roles on this domain and SSO auto-granting of roles is disabled

      If you see this and new users can’t sign in, single sign-on is working properly but the user has not been granted roles to access the Red Canary subdomain.

      To resolve this, either turn on user provisioning (check Automatically create a Red Canary user the first time a user is authenticated and one or more roles) or manually grant the users the roles they should have via your profile > Users & Roles.

      How does single sign-on affect API usage?

      Single sign-on authentication does not affect API usage since API authentication is handled by an API token.

      How do I log in after disabling single sign-on?

      If you previously logged in via single sign-on and then disable single sign-on (either permanently or temporarily), you can still log in with that account using a username and password. To set your password for the first time, click the Forgot link on the login page.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout