- 09 Aug 2024
- 2 Minutes to read
- PDF
Set Up Single Sign-on with Okta
- Updated on 09 Aug 2024
- 2 Minutes to read
- PDF
Red Canary supports single sign-on (SSO) to any Security Assertion Markup Language (SAML)-compliant identity provider. Okta is a commonly used identity provider that you can use to control access to Red Canary.
Important: Setting up SAML can occasionally be problematic, so if you have any issues, please contact support.
The steps begin in Okta and are completed in Red Canary.
Step 1: Okta–Set up single sign-on
Navigate to Account Settings, and then click Download our Service Provider Certificate. This is required for Okta Single Logout and will be used later in this setup.
Log in to Okta as an administrator, and then click Applications in the navigation menu.
From the Applications page, click Add Application, then Create New App.
Select SAML 2.0.
Click Create.
Update the App Name to Red Canary.
Set the App Logo to a Red Canary stamp.
Click Next.
Set Single sign-on URL to
https://[subdomain].my.redcanary.co/saml_sp/consume.
Always update
[subdomain]
in the URL with your own Red Canary subdomain.Select Use this for Recipient URL Destination URL.
Update Audience URI (SP Entity ID) to the value listed in the Red Canary SSO configuration's Entity / Issuer value.
Set Name ID format to EmailAddress.
Set Application username to Okta username.
Click Show Advanced Settings.
Enter the below information. Make sure to update
[go]
in the URLs with your own Red Canary subdomain.Select Allow application to initiate Single Logout
Update Single Logout URL with the value listed in the Red Canary SSO configuration's Identity Provider SLO Target URL value
Update SP Issuer with the value listed in the Red Canary SSO configuration's Entity/Issuer value
Click the Browse button on the right side of the Signature Certificate field and upload the Certificate downloaded from Red Canary in the first step. Then, click the Upload Certificate button.
Go to the Attribute Statements (optional) section.
Change the following settings:
Change the Name field to Email
Change the Name format (optional) field to Basic
Change the Value field to user.email
Scroll to the bottom of the page and click Next, then Finish to save the SAML Integration settings.
Go to the Directory | Profile Editor page, then scroll down to the Attributes section and confirm that:
The Display Name is set as Username
The Variable Name is set as userName
The Data type is set as string
The Attribute Type set as Base
Next, go to the Applications | Applications | Sign On. Scroll down to the Credentials Details section. Verify that the Application username format field is set as Okta username.
Click the Update Now button to update and save the settings.
Save the Okta application.
Click View Setup Instructions.
Step 2: Red Canary–Activate your SSO configuration
Click your user profile at top right of your Red Canary, and then click Single Sign-On.
Paste the text contents of the Okta application's X.509 certificate into the Identity Provider X509 Cert (Base64 encoded).
Set the Identity Provider SSO Target URL to the Okta application's Identity Provider Single Sign-On URL.
Set Identity Provider SLO Target URL to the Okta Application's Identity Provider Single Logout URL.
Set Identity Provider Entity ID to the Okta application's Identity Provider Issuer.
Set Email Attribute to Email.
Select This SSO configuration should be active.
Click Save.