Creating a SAML IdP App Canarytoken
See our other article: How do I create a Fake SAML IdP App Canarytoken?
Installing the Canarytoken on Okta
As an admin user in your Okta organisation, navigate to the Applications panel of your Admin interface.
Click 'Create App Integration', select 'SAML 2.0', and click 'Next'.
Enter the decoy name of the fake application, for example 'Salesforce', upload the corresponding app logo, and click 'Next'.
From the Canarytoken page, copy the 'ACS URL' and paste it in the 'Single sign-on URL' field. Then copy the 'Entity ID' and paste it in the 'Audience URI (SP Entity ID)' field. Scroll down and click 'Next', then click 'Finish'.
Assign users to the application by clicking the 'Assignments' tab, opening the 'Assign' dropdown, and selecting 'Assign to People' or 'Assign to Groups'. We recommend training folks about which apps are tokened. Finally, the Self-service tab provides an option to allow users to request access to the application, and you can disable requiring approval—now all your users can add or find this application!
The token is now installed in your IdP and will alert you if opened from an assigned user. Your IdP generates an application specific certificate and uses it to sign each SAML request. By uploading the metadata file provided your IdP we can screen for requests with valid signatures using that certificate. Enabling request validation is optional, but can ensure that you only receive alerts on genuine login requests from your IdP.
Optional Request Validation
To enable request validation, navigate to the 'Sign On' tab of your SAML application on Okta. Under 'Metadata details', copy the 'Metadata URL'. Open the URL in a new tab, and save the file.
In the Canary Console interface, under 'Request Validation (Optional)', toggle 'Enable Validation'. Click 'Choose file' and select your metadata file, then click 'Upload Metadata'.
Request validation is now enabled; only genuine requests from your IdP dashboard will trigger Canarytoken alerts.