Set Up SSO with Microsoft Entra ID
    • 02 Jul 2025
    • 3 Minutes to read
    • PDF

    Set Up SSO with Microsoft Entra ID

    • PDF

    Article summary

    To set up single sign-on (SSO) with Microsoft Entra ID, follow the steps below. For frequently asked questions and troubleshooting, see our Overview of Single Sign-On.

    1 Microsoft Entra ID | Create a Red Canary App

    1. Log in to your Microsoft Entra ID admin center

    2. Go to Entra ID > Enterprise apps > All applications

    3. In the What's the name of your app? field, enter “Red Canary”, then click the Integrate any other application you don't find in the gallery (Non-gallery) radio button.
      CreateYourOwnApplication.png

    4. Once the new “Non-gallery” app has been created, you should be redirected to the application’s configuration overview page.

    2 Microsoft Entra ID | Configure SSO Settings

    1. In the Manage section of the left menu, click Single sign-on to open the Single sign-on pane for editing.

    2. Click SAML to open the SSO configuration page.
      RCSingleSignOn.png

    3. In the Basic SAML Configuration section, click Edit.
      BasicSamlConfig.png

    4. Set Identifier to the value listed in the Red Canary SSO configuration's Entity / Issuer value. To find this value you will need to login to your Red Canary and navigate to the Single Sign-On configuration page. You can get there by clicking on your User Icon (top right of page) and selecting Single Sign-On.

    5. Set Reply URL to https://.my.redcanary.co/saml_sp/consume. The Basic SAML Configuration should look similar to this:
      IdentifierEntity.png

    6. In the Attributes & Claims section, click Edit.

      Note

      You must provide the LastName, FirstName, and Email claims without any Namespace specified. You will need to delete all of the default Claim entries under the Additional Claims section. Then you must create the FirstName, LastName, and Email Claims.  

      • Set LastName = user.surname

      • Set FirstName = user.givenname

      • Set Email = user.mail

      • Set Unique User Identifier = user.mail
        RequiredClaim.png

        The finalized Attribute & Claims section should look like this:
        AttributesAndClaims.png

        Note

        Ensure that the email value is populated to the user.mail attribute in your User Profile located in Entra. If not, you will need to map to the correct attribute containing the user's email address.

    3 Microsoft Entra ID | Download the SAML Signing Certificate

    1. In the SAML Signing Certificate section, click the Download link next to Certificate (Base64) to download the certificate and save it on your computer.

    2. Convert it to Base64-encoded text and copy it. You’ll need this in the next step.

      Pro Tip: We recommend you first paste the line into a text editor (like Notepad on Windows or TextEdit on Mac), and then copy it again for the next step.

    4 Red Canary | Configure SSO in Red Canary

    1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

    2. In the Authentication Methods section, configure the following settings, check the This SSO configuration should be active box.

      Caution

      DO NOT enable the Disable username / password login and require login via Single Sign On setting until you’ve tested your SSO setup. If you enable it beforehand and your identity provider stops working, you’ll need to submit a Red Canary support case so we can administratively disable the setting.

    3. (Optional) Under User Provisioning, click Automatically create a Red Canary user the first time a user is authenticated box. This setting automatically provisions a Red Canary account when a new user logs in with SSO. To automatically provision a default role to new users:

      • Admin

      • Workflow User

      • Analyst

      • Analyst Viewer

      • Applications Manager

      • EDR User

      • Responder

      If you’d like to re-grant the roles upon every user login, check the Grant these roles on EVERY sign in box. Learn more about Red Canary User Roles.

      Note

      Before enabling this option, make sure you’ve configured Entra to only allow the appropriate users access to Red Canary.

    4. In the Identity Provider X509 Cert field, paste the text you downloaded previously from your Entra SSO configuration page.

    5. In the Identity Provider SSO Target URL field, copy the Login URL from your Entra SSO configuration page and paste it.

    6. From your Entra SSO configuration page, copy the Logout URL and paste it into the Identity Provider SLO Target URL field. Make sure to keep the trailing forward slash at the end of the URL (example.com/) and there are no extra spaces after the slash.

    7. From your Entra SSO configuration page, copy the Microsoft Entra Identifier and paste it into the Identity Provider Entity ID field.

    8. In the Email Attribute field, enter Email”. Make sure there are no periods or whitespaces after the text.

    9. Click Save.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.