Overview of Single Sign-On
    • 01 Jul 2025
    • 3 Minutes to read
    • PDF

    Overview of Single Sign-On

    • PDF

    Article summary

    To enhance the security of your organization's Red Canary account, we recommend implementing a Single Sign-On (SSO) provider for user authentication. Requiring users to log in via SSP is a highly effective method for safeguarding your Red Canary data.

    While Red Canary is compatible with most Security Assertion Markup Language (SAML)-compliant identity providers, we offer detailed setup instructions for these popular providers:

    Require SSO Login for All Users

    Note

    Before enabling this setting, make sure your SSO setup is active and tested. If your identity provider stops working after you enable the setting, you’ll need to submit a Red Canary support case so we can administratively disable this requirement.

    You can configure Red Canary so that all users are required to log in using SSO:

    1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

    2. Under Authentication Methods, check Disable username / password login and require login via Single Sign On.

    3. Click Save.

    Automatically Provision New Users via SSO Login

    Note

    Before enabling this option, make sure you’ve configured your identity provider to only allow the appropriate users access to Red Canary.

    You can configure Red Canary to automatically provision new Red Canary users upon first SSO login:

    • To automatically create Red Canary accounts when users sign in via SSO:

    1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

    2. Under User Provisioning, check Automatically create a Red Canary user the first time a user is authenticated.

    3. Choose which role(s) you would like granted to users that are automatically created via SSO.

    4. Click Save.

    • To re-grant roles to users when they log in via SSO:

    1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

    2. Select Grant these roles on EVERY sign in.

    3. Click Save.

    FAQs

    What SAML attributes does Red Canary support?

    • FirstName

    • LastName

    • email

    How does SSO impact API usage?

    SSO authentication does not affect API usage since API authentication is handled by an API token.

    How do I log In after disabling SSO?

    If you previously logged in via SSO and then disable SSO (either permanently or temporarily), you can still log in with that account using a username and password. To set your password for the first time, click the Forgot link on the login page.

    Troubleshooting

    You can use audit logs to troubleshoot configuration failures and unexpected responses from your identity provider or Red Canary:

    1. Click your user icon at the top right of your Red Canary, and then click Audit logs.

    2. Click the Filter for audit logs dropdown and choose SSO Login Failure.

      Note: You can also choose Learn more about filtering for audit logs, and select SSO Login Failure.

    Problem: Mismatched Email Attributes

    SAML response was missing email_attribute=[user.mail], had attributes=[["http://schemas.microsoft.com/identity/claims/tenantid", "http://schemas.microsoft.com/identity/claims/objectidentifier", "http://schemas.microsoft.com/identity/claims/identityprovider", "http://schemas.microsoft.com/claims/authnmethodsreferences", "LastName", "FirstName", "Email"]] and name_id=email@company.com

    If you see this, your Identity Provider sent the incorrect email attribute to Red Canary. In this example, Red Canary was expecting user.mail (set in your Red Canary SSO configuration), but your Identity Provider sent Email.

    To resolve this, change the Email Attribute to Email.

    Problem: Incorrect Audience URI / SP Entity IDs

    SAML response had errors [["Invalid Audience. The audience https://my.redcanary.co/, did not match the expected audience https://my.redcanary.co"]]

    If you see this, your Identity Provider’s Audience URI / SP Entity ID must match Red Canary exactly.

    To resolve this, remove the extra forward slash at the end of the domain in your Identity Provider.

    Problem: Successful SSO Logins with Missing Roles

    User has no roles on this domain and SSO auto-granting of roles is disabled

    If you see this and new users can’t sign in, SSO is working properly, but the user has not been granted roles to access the Red Canary subdomain.

    To resolve this, either turn on user provisioning (check Automatically create a Red Canary user the first time a user is authenticated and one or more roles) or manually grant the users the roles they should have:

    1. Click your user icon at the top right of your Red Canary platform.

    2. Click Users & Roles.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.