Set Up SSO with OneLogin

Enhance your organization's security and streamline user access by enabling single sign-on (SSO) with OneLogin. This article will walk you through the complete setup process, where you’ll configure settings in both OneLogin and Red Canary. If you have questions or are new to SSO,  see our Overview of Single Sign-On.

1 Red Canary | Configure SSO Settings

1. Navigate to Red Canary, then click your user profile in the top right corner.

2. Click Single Sign-On.
   

3. Enable the following settings:

   • This SSO configuration should be active
     This setting activates the SSO setup, after you complete the configuration and click Save at the bottom.

   • Automatically create a Red Canary user the first time a user is authenticated
     This setting automatically provisions a Red Canary account when a new user logs in with SSO. As an optional configuration, you can assign default roles to new users. Select one of the following roles to apply automatically:

     • Admin

     • Workflow User

     • Analyst

     • Analyst Viewer

     • Applications Manager

     • EDR User

     • Responder

     For a full description of each role's permissions, see Understand and Assign Roles.
     To reset a user's permissions to the selected default every time they sign in, check the Grant these roles on EVERY sign in box. This will override any manual role changes made previously. This is useful for enforcing a "least privilege" baseline, where you can manually grant temporary high-level access that will be automatically revoked on the next login.
     

You’ll finish configuring these settings in a later step.

2 OneLogin | Create a Red Canary App

1. Log in to your OneLogin portal.

2. Go to the Applications tab and click Add App.

3. Search for and select SAML Test Connector (IdP).
   

4. In the Display Name field, enter “Red Canary”.

5. Click Save.
   

3 OneLogin / Red Canary | Configure SSO Settings

1. Return to your OneLogin portal where you created the Red Canary app.

2. In the left-hand menu, click the Configuration tab.

3. Navigate back to the Red Canary SSO settings page and copy the Entity / Issuer value, then paste it in the OneLogin Audience field.
   
   

4. In the OneLogin fields below, enter your Assertion Consumer Service (ACS) URL:

   • Recipient: https://mysubdomain.my.redcanary.co/saml_sp/consume

   • ACS (Consumer) URL Validator: https://mysubdomain.my.redcanary.co/saml_sp/consume

   • ACS (Consumer) URL:https://mysubdomain.my.redcanary.co/saml_sp/consume

   Note

   Remember to replace mysubdomain with your actual subdomain.

   

5. In the left-hand menu, click the Parameters tab and create a new parameter:

   • In the Field name, enter “Email”

   • Check the Include in SAML assertion box

   • Click Save

   • In the Value dropdown, select Email

   • Click Save

   

6. Click Save to save all changes so far.

7. In the SSO tab, under the X.509 Certificate, click View Details.

   

8. Copy the certificate.
   

9. On the Red Canary SSO settings page, paste the certificate in the Identity Provider X508 Cert field.

   

10. Copy and paste the following values from OneLogin to Red Canary:

    • Copy the OneLogin Issuer URL and paste to Red Canary Identity Provider Entity ID

    • Copy the OneLogin SAML 2.0 Endpoint (HTTP) and paste to Red Canary Identity Provider SSO Target URL

    • Copy the OneLogin SLO Endpoint (HTTP) and paste to Red Canary Identity Provider SLO Target URL
      

11. In OneLogin, click Save.

12. In Red Canary, in the Email Attribute field, enter “email.”
    

13. In Red Canary, click Save to activate the SSO configuration.

4 Red Canary | Require SSO for User Login

Once you’ve successfully tested your SSO setup, go to the Red Canary SSO settings page and check the box Disable user / password login and require login via Single Sign On. This will force SSO login for all user logins. Make sure to click Save to apply the change.