Creating a SAML IdP App Canarytoken
See our other article: How do I create a Fake SAML IdP App Canarytoken?
Installing the Canarytoken on Okta
As a user in the Azure tenant with at least Enterprise Application Administrator permissions, navigate to the Enterprise Applications (opens new window) panel in the Entra ID Azure Portal.
Select 'New Application', then 'Create a new application' and enter the name of the application as you'd like for it to appear, for example 'Salesforce'. Make sure to select that the application is a 'Non-gallery' application, then click 'Create'.
From the application Properties panel, upload the corresponding application icon, ensure that the application is enabled, that assignment is not required, and that it's visible to users. Save and move on to the Single sign-on panel.
Select 'SAML' as the single sign-on method, and edit the 'Basic SAML Configuration'.
From the Canarytoken page, copy the 'Entity ID' to the form, and the 'ACS URL' to both the 'Reply URL' and 'Relay State' fields. Now click 'Save'. At the bottom of this page is a test button, which should open a new tab, redirect you to the token, and then to the redirect URL. You should also see an alert pop-up with your email address.
If you'd like for the token application to appear in the Microsoft 365 Apps list, assign users (or groups of users) to the application from the 'Users and groups' pane. We recommend training folks about which apps are tokened. Finally, the Self-service tab provides an option to allow users to request access to the application, and you can disable requiring approval—now all your users can add or find this application!
The token is now installed in your IdP and will alert you if opened from an assigned user. Your IdP generates an application specific certificate and uses it to sign each SAML request. By uploading the metadata file provided your IdP we can screen for requests with valid signatures using that certificate. Enabling request validation is optional, but can ensure that you only receive alerts on genuine login requests from your IdP.
Optional Request Validation
To enable request validation, navigate to the 'Single sign-on' tab of your SAML application on Entra ID. Under 'SAML Certificates' find the 'Federation Metadata XML' line and click 'Download'.
In the Canary Console interface, under 'Request Validation (Optional)', toggle 'Enable Validation'. Click 'Choose file' and select your metadata file, then click 'Upload Metadata'.
Request validation is now enabled; only genuine requests from your IdP dashboard will trigger Canarytoken alerts.