|SIS||Student Information System|
This is what happens when a user isn't required to log in to a second service because information about the authenticated user is passed to the service.
Note: To complete the steps in this documentation, you will need to use your Production environment of Canvas. Testing Azure SAML authentication will not work in Test or Beta.
Adding Canvas from the gallery
To configure the integration of Canvas into Azure AD, you need to add Canvas from the gallery to your list of managed SaaS apps.
To add Canvas from the gallery, perform the following steps:
2. Click the Enterprise applications link. Then click the All applications link.
3. To add a new application, click the New application button on the top of the dialog.
4. In the search box, type Canvas.
5. In the results panel, select Canvas and then click the Add button to add the application.
Configuring Azure AD single sign-on
In this section, you will learn how to enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Canvas application.
To configure Azure AD single sign-on with Canvas, perform the following steps:
1. In the Canvas application integration page of the Azure portal, click on Single Sign-on.
2. On the Single Sign-on Mode dialog, select the SAML-based Sign-on option to enable single sign-on.
3. On the Canvas Domain and URLs section, perform the following steps (replacing <institution> with your tenant name):
a. In the Sign-on URL textbox, type your institution's Canvas URL using the following pattern: https://<institution>.instructure.com
b. In the Identifier textbox, type the value using the following pattern: http://<institution>.instructure.com/saml2
4. In the SAML Signing Certificate section, copy the THUMBPRINT value of the certificate.
5. Click the Save button near the top of the screen.
6. On the Canvas Configuration section, click Configure Canvas to open the Configure sign-on window.
7. Copy the SAML Single Sign-On Service URL, Sign Out URL, SAML Entity ID, and Change Password URL under the Quick Reference section - you will need these when you configure SAML in Canvas.
Note: The following steps take place in Canvas
8. In a different browser window, log in to your Canvas instance as an administrator.
9. From the Admin tile, click the Authentication link.
10. Click on the Choose an Authentication drop-down, then select the SAML option.
11. On the SAML configuration page, complete the following steps:
a. In the IdP Entity ID text box, paste the value of the SAML Entity ID which you have copied from the Azure portal.
b. In the Log On URL text box, paste the value of the SAML Single Sign-On Service URL which you have copied from the Azure portal.
c. In the Log Out URL text box, paste the value of the Sign-Out URL which you have copied from the Azure portal.
d. In the Certificate Fingerprint textbox, paste the Thumbprint value of the certificate which you have copied from the Azure portal.
e. Click Save when finished.
Azure AD with Vanity/Custom URL
Please follow these steps if you have a client that would like to use their vanity/custom URL in Canvas with Azure.
Note: In order to use this, the client must be using the paid version of Azure.
Add a Custom Application within Azure
Click the Azure Active Directory link.
In the Manage menu, click the Enterprise applications link.
Click the New application link.
Select the Non-gallery application option.
Give your new application a name to distinguish this app from other apps (e.g., Canvas Vanity URL). After you have added a name, click the Add button.
After the app has been created, navigate to the Single sign-on page and ensure the following settings are configured correctly:
- Single Sign-on Mode = SAML-based Sign-on
- Identifier = http://[domain].instructure.com/saml2 IMPORTANT! - You may also need to try http://[vanityURL]/saml2.
- Reply URL = https://[vanityURL]/login/saml
- User Identifier = This must be set to the value they wish to have their users login with. This could be SAMAccountName, userPrincipalName or Mail.
Click on Configure Canvas at the bottom this page to obtain the Canvas configuration information. Copy these for use later when they configure the SAML settings within Canvas.
Example config information below:
Navigate to the Self-Service page. Make sure that Allow users to request access to this application is set to No.
In the Authentication Context drop-down menu, select the urn:sis:names:tc:SAML:2.0:ac:classes:unspecified option.
Turn on the debugger and have them test the authentication to see if it is working. If not, let Ryana know and I can work with them to try to get it to work. Good luck!