Detect identity compromise using the IdP App Canarytoken: Set up an app in your SSO dashboard; if the app is ever opened, you'll receive an email identifying the user who clicked on it, allowing you to pinpoint compromised accounts.
Optionally it can redirect the user to a URL of your choice, after they've opened the app. This helps maintain the ruse for longer.
Creating the Canarytoken
Create a Canarytoken by choosing 'SAML IdP App' from the Canarytokens list.
Select an app to impersonate from the dropdown. Leave a reasonable comment to remind yourself where you will deploy the Canarytoken (e.g. 'Fake Salesforce app on Okta'). If you want the app to redirect to a specific URL, enter it in the 'Send the user to this URL on login (Optional)' box.
Tap the 'Create Canarytoken' button. Download the app icon to use on your dashboard, and follow the steps below to install the Canarytoken on your IdP.
Installing the Canarytoken
For detailed steps to install this token, see our articles for Entra ID and Okta.
For other platforms, create a SAML app integration on your platform using the ACS URL and Entity ID provided after making your Canarytoken.