Set Up SSO with Ping Identity

Enhance your organization's security and streamline user access by enabling single sign-on (SSO) with Ping Identity. This article will walk you through the complete setup process, where you’ll configure settings in both Ping Identity and Red Canary. If you have questions or are new to SSO, see our Overview of Single Sign-On.

1 Red Canary | Configure SSO Settings

1. Navigate to Red Canary, then click your user profile in the top right corner.

2. Click Single Sign-On.
   

3. Enable the following settings:

   • This SSO configuration should be active
     This setting activates the SSO setup, after you complete the configuration and click Save at the bottom.

   • Automatically create a Red Canary user the first time a user is authenticated
     This setting automatically provisions a Red Canary account when a new user logs in with SSO. As an optional configuration, you can assign default roles to new users. Select one of the following roles to apply automatically:

     • Admin

     • Workflow User

     • Analyst

     • Analyst Viewer

     • Applications Manager

     • EDR User

     • Responder

     For a full description of each role's permissions, see Understand and Assign Roles.
     To reset a user's permissions to the selected default every time they sign in, check the Grant these roles on EVERY sign in box. This will override any manual role changes made previously. This is useful for enforcing a "least privilege" baseline, where you can manually grant temporary high-level access that will be automatically revoked on the next login.
     

You’ll finish configuring these settings in a later step.

2 Ping Identity | Create a Red Canary App

1. Log in to your Ping Identity console.

2. Go to the Applications tab and create an application.

3. Name the app “Red Canary.”

4. Select SAML Application.

5. Click Configure.
   

6. Select Manually enter.

7. In the ACS URLs field, enter https://mysubdomain.my.redcanary.co/saml_sp/consume

   Note

   Remember to replace mysubdomain with your actual subdomain.

8. For the Entity ID field, navigate to your Red Canary SSO settings page, copy the Entity / Issuer value, and paste it in the Entity ID field.

9. Click Save.
   

10. In the Attribute Mappings tab, add a new attribute:

    • Set Email to Email Address.

    • Click the Required box.
      

3 Ping Identity / Red Canary | Configure SSO Settings

1. On the Ping Identity Overview tab, click Download Signing Certificate.
   

2. Convert the signing certificate you downloaded to Base64 text and copy it.

3. Return to the Red Canary SSO settings page and paste the certificate into the Identity Provider X509 Cert (Base64 encoded) field.
   

4. Copy and paste the following fields from Ping Identity to Red Canary:

   • Copy Initiate Single Sign-On (SSO) URL and paste it to Identity Provider SSO Target URL.

   • Copy Single Logout Service and paste it to Identity Provider SLO Target URL.

   • Copy Issuer ID and paste it to Identity Provider Entity ID.
     

     

5. In Red Canary, in the Email Attribute field, enter “email.”
   

6. Click Save in both Red Canary and Ping Identity.

4 Red Canary | Require SSO for User Login

Once you’ve successfully tested your SSO setup, go to the Red Canary SSO settings page and check the box Disable user / password login and require login via Single Sign On. This will force SSO login for all user logins. Make sure to click Save to apply the change.