Configuring Azure (SAML) and Canvas Authentication

Document created by kevin Employee on Mar 25, 2015Last modified by Trevor Fullwood on Aug 1, 2018
Version 15Show Document
  • View in full screen mode

    Official Canvas Document

Canvas + Logo transparent (WHITE)- 300px.png

 

 

Authentication Terminology

TermDefinition
IdP

Identity Provider

The job of the IdP is to identify users based on credentials. The IdP typically provides the login screen interface and presents information about the authenticated user to service providers after successful authentication.

ADFS is the Identity Provider.

login_id

Username in Canvas terminology.

When information about an authenticated user is returned to Canvas, a user with a login_id matching the incoming data is looked for.

Metadata

Information about the SP or IdP.  This metadata is almost always provided in the form of XML.  The metadata about your Canvas instance is located at https://<yourcanvas>.instructure.com/saml2 (replace <yourcanvas> with the first portion of your Canvas domain).

SAML

Security Assertion Markup Language

SISStudent Information System
SIS ID

Unique ID of a user in Canvas.

Used to link a user to an outside system, often a Student Information System (SIS).

SLO

Single Logout

When a user logs out of a service, some IdPs can subsequently log the user out of all other services the user has authenticated to. 

ADFS supports this but may occasionally experience issues such as preventing a successful logout. Users will be logged out of Canvas but may not be logged out of ADFS.

SP

Service Provider

An SP is usually a website providing information, tools, reports, etc to the end user.  Canvas provides a learning environment to teachers, students, and admins and is, therefore, the Service Provider.

Note: An SP cannot authenticate against an IdP unless the IdP is known to the SP.  Likewise, an IdP will not send assertions to an SP that it does now know about.

SSO

Single Sign-On

This is what happens when a user isn't required to log in to a second service because information about the authenticated user is passed to the service.

Any user that needs to authenticate via Azure AD must already have a user account provisioned in Canvas.

Pre-requisites

  • The login_id field in Canvas must match the selected field returned from Azure.
  • Canvas does not automatically create user accounts from successful single-sign-ons. User accounts must either be created manually in the web interface or through the SIS import CSVs.
  • Your organization must have an Azure AD subscription.
  • You must be able to login to the admin console for your organization.

 

Note: To complete the steps in this documentation, you will need to use your Production environment of Canvas. Testing Azure SAML authentication will not work in Test or Beta.

Login Release Valve

You may lock yourself out of Canvas while you are working on setting up authentication. If this happens, there is a way to log in to Canvas using local authentication. Simply go to /login/canvas. For instance: http://<yourcanvasname>.instructure.com/login/canvas (This forces Canvas to display the local login form rather than redirecting to the SAML login page).

Adding Canvas from the gallery

To configure the integration of Canvas into Azure AD, you need to add Canvas from the gallery to your list of managed SaaS apps.

To add Canvas from the gallery, perform the following steps:

  1. In the left navigation panel of the Azure portal, click Azure Active Directory icon.

     

            

            2. Click the Enterprise applications link. Then click the All applications link.

 


            3. To add a new application, click the New application button on the top of the dialog.

   

 

            4. In the search box, type Canvas.

               

 

            5. In the results panel, select Canvas and then click the Add button to add the application.

 

                          

Configuring Azure AD single sign-on

 

In this section, you will learn how to enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Canvas application.

 

To configure Azure AD single sign-on with Canvas, perform the following steps:

 

1. In the Canvas application integration page of the Azure portal, click on Single Sign-on.

 

 

    

2. On the Single Sign-on Mode dialog, select the SAML-based Sign-on option to enable single sign-on.

 

 

3. On the Canvas Domain and URLs section, perform the following steps (replacing <institution> with your tenant name):

      a. In the Sign-on URL textbox, type your institution's Canvas URL using the following pattern: https://<institution>.instructure.com

      b. In the Identifier textbox, type the value using the following pattern: http://<institution>.instructure.com/saml2

**PLEASE NOTE: Identifier URL begins with http://, not https://.

 

 

4. In the SAML Signing Certificate section, copy the THUMBPRINT value of the certificate. 

 

   

5. Click the Save button near the top of the screen.

 

 

   

6. On the Canvas Configuration section, click Configure Canvas to open the Configure sign-on window. 

   

 

7. Copy the SAML Single Sign-On Service URL, Sign Out URL, SAML Entity ID, and Change Password URL under the Quick Reference section - you will need these when you configure SAML in Canvas.

 

 

Note: The following steps take place in Canvas

 

8. In a different browser window, log in to your Canvas instance as an administrator.

 

 

9. From the Admin tile, click the Authentication link.

 

 

     

10. Click on the Choose an Authentication drop-down, then select the SAML option.

 

 

     

11. On the SAML configuration page, complete the following steps:

       a. In the IdP Entity ID text box, paste the value of the SAML Entity ID which you have copied from the Azure portal.

b. In the Log On URL text box, paste the value of the SAML Single Sign-On Service URL which you have copied from the Azure portal.

c. In the Log Out URL text box, paste the value of the Sign-Out URL which you have copied from the Azure portal.

d. In the Certificate Fingerprint textbox, paste the Thumbprint value of the certificate which you have copied from the Azure portal.

e. Click Save when finished.

 

Azure AD with Vanity/Custom URL

Please follow these steps if you have a client that would like to use their vanity/custom URL in Canvas with Azure.

Note: In order to use this, the client must be using the paid version of Azure.

Add a Custom Application within Azure

Click the Azure Active Directory link.

 

 

In the Manage menu, click the Enterprise applications link.

 

 

 

Click the New application link.

 

 

 

Select the Non-gallery application option.

 

 

 

Give your new application a name to distinguish this app from other apps (e.g., Canvas Vanity URL). After you have added a name, click the Add button.

 

 

 

After the app has been created, navigate to the Single sign-on page and ensure the following settings are configured correctly:

 

 

Click on Configure Canvas at the bottom this page to obtain the Canvas configuration information. Copy these for use later when they configure the SAML settings within Canvas.

 

Example config information below:

 

 

Navigate to the Properties page. Make sure User assignment required is set to No.

 

 

 

Navigate to the Self-Service page. Make sure that Allow users to request access to this application is set to No.

 

 

In the Authentication Context drop-down menu, select the urn:sis:names:tc:SAML:2.0:ac:classes:unspecified option.

 

 

Turn on the debugger and have them test the authentication to see if it is working. If not, let Ryana know and I can work with them to try to get it to work. Good luck!

4 people found this helpful

Attachments

    Outcomes