|SIS||Student Information System|
This is what happens when a user isn't required to log in to a second service because information about the authenticated user is passed to the service.
Configure Azure Active Directory
To configure the integration of Canvas into Azure AD, you need to add Canvas from the gallery to your list of managed SaaS apps.
In the left navigation panel of the Azure portal, click Azure Active Directory icon.
Click the Enterprise applications, then click the All applications.
3. To add a new application, click the New application button on the top of the dialog.
4. In the search box, type Canvas. In the results panel, select Canvas and then click the Add button to add the application.
5. In the Canvas - Overview page of the Azure portal, click on Single Sign-on.
6. Click SAML.
8. Fill in the Identifier (Entity ID) fields with the http (not https) URLs of your production, test, and beta environments, followed by /saml2 (ie. http://your-institution.instructure.com/saml2 ).
In the Reply URL (Assertion Consumer Service URL) fields, add your https production, test, and beta environment URLs followed by a wildcard (*) (ie. https://your-institution.instructure.com/* ).
In the Sign on URL field, enter your Canvas production URL (ie. https://your-instance.instructure.com ).
Click Save in the top-left corner.
12. Repeat for the Claim Name ending with .../identity/claims/nameidentifier, to also change its Source attribute to user.mail
The following steps take place in Canvas.
15. In a new browser tab, log in to your Canvas instance as an administrator. From the Admin tile, click Authentication.
18. The page will reload with the values for IdP Entity ID, Log On URL, Log Out URL and Certificate Fingerprint automatically filled.
19. Test the configuration. Open a new incognito window, and go to
If successful, you’ll be prompted to enter your Microsoft email address, followed by your password. You will then be logged in and redirected to your Canvas instance.
Note that Canvas does not automatically create user accounts from successful single-sign-ons. User accounts must either be created manually in the web interface or through the SIS import CSVs.
20. Return to the Authentication screen. To make SAML the primary method for authentication, navigate to the bottom of the SAML section, and change Position to 1. Click Save.
Azure AD with Vanity/Custom URL
Please follow these steps if you have a client that would like to use their vanity/custom URL in Canvas with Azure.
Note: In order to use this, the client must be using the paid version of Azure.
Add a Custom Application within Azure
Click the Azure Active Directory link.
In the Manage menu, click the Enterprise applications link.
Click the New application link.
Select the Non-gallery application option.
Give your new application a name to distinguish this app from other apps (e.g., Canvas Vanity URL). After you have added a name, click the Add button.
After the app has been created, navigate to the Single sign-on page and ensure the following settings are configured correctly:
- Single Sign-on Mode = SAML-based Sign-on
- Identifier = http://[domain].instructure.com/saml2 IMPORTANT! - You may also need to try http://[vanityURL]/saml2.
- Reply URL = https://[vanityURL]/login/saml
- User Identifier = This must be set to the value they wish to have their users login with. This could be SAMAccountName, userPrincipalName or Mail.
Click on Configure Canvas at the bottom this page to obtain the Canvas configuration information. Copy these for use later when they configure the SAML settings within Canvas.
Example config information below:
Navigate to the Self-Service page. Make sure that Allow users to request access to this application is set to No.
In the Authentication Context drop-down menu, select the urn:sis:names:tc:SAML:2.0:ac:classes:unspecified option.
Turn on the debugger and have them test the authentication to see if it is working. If not, let Ryana know and I can work with them to try to get it to work. Good luck!