- 02 Jul 2025
- 3 Minutes to read
- PDF
Set Up SSO with Microsoft Entra ID
- Updated on 02 Jul 2025
- 3 Minutes to read
- PDF
To set up single sign-on (SSO) with Microsoft Entra ID, follow the steps below. For frequently asked questions and troubleshooting, see our Overview of Single Sign-On.
1 Microsoft Entra ID | Create a Red Canary App
Log in to your Microsoft Entra ID admin center
Go to Entra ID > Enterprise apps > All applications
In the What's the name of your app? field, enter “Red Canary”, then click the Integrate any other application you don't find in the gallery (Non-gallery) radio button.
Once the new “Non-gallery” app has been created, you should be redirected to the application’s configuration overview page.
2 Microsoft Entra ID | Configure SSO Settings
In the Manage section of the left menu, click Single sign-on to open the Single sign-on pane for editing.
Click SAML to open the SSO configuration page.
In the Basic SAML Configuration section, click Edit.
Set Identifier to the value listed in the Red Canary SSO configuration's Entity / Issuer value. To find this value you will need to login to your Red Canary and navigate to the Single Sign-On configuration page. You can get there by clicking on your User Icon (top right of page) and selecting Single Sign-On.
Set Reply URL to https://.my.redcanary.co/saml_sp/consume. The Basic SAML Configuration should look similar to this:
In the Attributes & Claims section, click Edit.
Note
You must provide the LastName, FirstName, and Email claims without any Namespace specified. You will need to delete all of the default Claim entries under the Additional Claims section. Then you must create the FirstName, LastName, and Email Claims.
Set LastName = user.surname
Set FirstName = user.givenname
Set Email = user.mail
Set Unique User Identifier = user.mail
The finalized Attribute & Claims section should look like this:
Note
Ensure that the email value is populated to the
user.mail
attribute in your User Profile located in Entra. If not, you will need to map to the correct attribute containing the user's email address.
3 Microsoft Entra ID | Download the SAML Signing Certificate
In the SAML Signing Certificate section, click the Download link next to Certificate (Base64) to download the certificate and save it on your computer.
Convert it to Base64-encoded text and copy it. You’ll need this in the next step.
Pro Tip: We recommend you first paste the line into a text editor (like Notepad on Windows or TextEdit on Mac), and then copy it again for the next step.
4 Red Canary | Configure SSO in Red Canary
Click your user icon at the top right of your Red Canary, and then click Single Sign-On.
In the Authentication Methods section, configure the following settings, check the This SSO configuration should be active box.
Caution
DO NOT enable the Disable username / password login and require login via Single Sign On setting until you’ve tested your SSO setup. If you enable it beforehand and your identity provider stops working, you’ll need to submit a Red Canary support case so we can administratively disable the setting.
(Optional) Under User Provisioning, click Automatically create a Red Canary user the first time a user is authenticated box. This setting automatically provisions a Red Canary account when a new user logs in with SSO. To automatically provision a default role to new users:
Admin
Workflow User
Analyst
Analyst Viewer
Applications Manager
EDR User
Responder
If you’d like to re-grant the roles upon every user login, check the Grant these roles on EVERY sign in box. Learn more about Red Canary User Roles.
Note
Before enabling this option, make sure you’ve configured Entra to only allow the appropriate users access to Red Canary.
In the Identity Provider X509 Cert field, paste the text you downloaded previously from your Entra SSO configuration page.
In the Identity Provider SSO Target URL field, copy the Login URL from your Entra SSO configuration page and paste it.
From your Entra SSO configuration page, copy the Logout URL and paste it into the Identity Provider SLO Target URL field. Make sure to keep the trailing forward slash at the end of the URL (
example.com/
) and there are no extra spaces after the slash.From your Entra SSO configuration page, copy the Microsoft Entra Identifier and paste it into the Identity Provider Entity ID field.
In the Email Attribute field, enter “Email”. Make sure there are no periods or whitespaces after the text.
Click Save.