Enable Single Sign-On from Microsoft Entra ID to your Canary Console with these steps. Log in to your Console, click Global Settings on the top right-hand side navbar drop-down. Then click on SAML on the left menu.
Enable Single Sign-On from Microsoft Entra ID to your Canary Console with these steps.
Step 1: Log in to your Canary Console
To start, log in to your Canary Console using your credentials.
Next, click Global Settings on the top right-hand side navbar drop-down.
Then expand the SAML menu item, you'll want to note the details you see there. We'll use them later in the configuration.
Step 2: Log in to Microsoft Entra ID and add a new SAML Application
In your Azure dashboard, head over to Microsoft Entra ID, then Enterprise applications.
Then click New Application.
Next, select Create your own application.
Give your application a name and click Create.
Step 3: Configure SAML for the Canary Console
Click Single sign-on in the left menu, then click on the SAML panel.
Edit the Basic SAML Configuration information.
In the Identity field, paste the Entity ID from Step 1. In the Reply URL field, paste the ACS URL from Step 1. Leave all other fields blank and in their default state.
Finally, click Save.
Click the Save button to continue.
Step 4: Edit User Attributes & Claims
On the User Attributes & Claims panel, click the Edit link.
Edit the Unique User Identified (Name ID) claim, and set it's value to user.mail or user.userprincipalname if your user accounts do not have an email address.
No Additional claims are required.
Step 5: Give the SAML Metadata to Canary Support
Look for the Federation Metadata XML, Thinkst support will need a copy of this to configure your Canary Console and they'll confirm when SAML support is fully set up.
You can either download a copy to attach to the support ticket, or share the link directly.
A support ticket can be created here.
Step 6: Assign users or groups to the Canary Application
Almost there! The last step is to grant Canary Console permission to your Entra ID users.
Click Users and groups, then Add user.
Add users and groups here to give them access to your Canary Console.
This is also a great time to consider configuring SAML IdP-managed permissions: Azure Entra ID
Step 7: Test login from both the Console and Azure MyApps
Once Thinkst Support confirms SAML is configured, you'll know it's working when you see your Console Login page show a Login with SSO button.
Click the button to initiate the SSO login.
You'll also be able to log in to your Console by clicking on your Canary app panel inside the MyApps dashboard.
Optional: Renewing your SAML certificate
Just like TLS certificates, SAML certificates have an expiry date, and when they expire, Entra could deny access until it's renewed.
Luckily renewing is an easy process. To get started head over to Microsoft Entra ID, Enterprise applications menu, and find your Canary Console SAML APP.
Head over to Single sign-on, you'll spot the certificate expiration here; lets fix that. Next hit the Edit button.
Here we can see the expired certificate, to replace it, we'll need to create a new one by hitting New Certificate.
A new certificate entry will have been created, hit Save to generate it.
With the new certificate created, we need to make it active. Hit the 3 dots to the right of the certificate entry, and select Make certificate active from the context menu.
You'll now have a new certificate loaded, and a new Federation Metadata XML. Thinkst support will need a copy of this to update your Canary Console.
You can either download a copy to attach to the support ticket, or share the link directly.
A support ticket can be created here.
You’ve made it!