Configuring LDAP and Canvas Authentication

Document created by Canvas Doc Team Employee on Apr 14, 2015Last modified by jivedocs@instructure.com on Aug 8, 2016
Version 9Show Document
  • View in full screen mode

    Official Canvas Document

Canvas + Logo transparent (WHITE)- 300px.png

 

Background

Single Sign On (SSO) is a functionality that many schools will configure during the implementation phase of transitioning to Canvas online with their institution. SSO provides many benefits, not the least being that after users sign in to one of the services at an institution they are automatically authenticated into any other service that uses SSO. The user is only required to remember one set of credentials.

 

LDAP represents a shared authentication methodology. It retains the benefit of remembering only a single username and password but a user must sign in to each service using that set of credentials.

 

When Instructure Canvas receives a successful identity assertion from any of its supported authentication integrations, it searches for a user 'login' that matches the value of the asserted identity. If it finds a matching login, it logs in the associated user account.

 

LDAP is used for authentication only. Adding a new account to an LDAP tree does not automatically create an account in Canvas.

 

This article describes the process of configuring and debugging ADFS authentication to work with Canvas.

 

Authentication Workflow

 

This is the typical workflow of LDAP once it is enabled.

 

During the login process:

  1. A user provides a username and password via the secure login page.
  2. Instructure Canvas authenticates to the specified LDAP server with the configured query account credentials.
  3. The provided username is substituted into the configured filter field and is combined with the configured base value to search for the user account in an LDAP query.
  4. We re-bind using the found user record above and the user provided password to authenticate the user.
  5. If authentication is successful, we look up the associated user in Canvas by matching the canvas user's login_id to the username provided when logging in.
  6. If the user is found, we log them in. Roles and permissions policies are dictated by enrollments within Canvas.

 

Prerequisites

In order to set up an LDAP integration in Canvas you need to know following information:
  • Host address of the LDAP server (ex: ldap.college.edu)
  • Port of LDAP server
  • StartTLS | Simple TLS | No TLS? Does this LDAP host and port require TLS/SSL?
  • Base the LDAP base query string
  • Filter the LDAP filter used to select subsets of the search (for example (sAMAccountName={{login}}) )
  • Login ID Attribute: If the LDAP attribute to be matched in Canvas to the login_id is not the username the user provided, select the LDAP attribute here that should be used.
  • Username the username for the query account
  • Password for institution-created Instructure user for bind/re-bind
  • Login label on the login form, this label will be given for the username field. Many institutions have specific branded names for institutional accounts. Some examples could include: U-Key, Username, Route Y ID, etc.

 

Bind/Re-bind

Institutions should create an LDAP account for Canvas by Instructure. This makes it so that they do not have to allow unauthenticated search or query access to their LDAP servers. Authenticated searches can more easily be logged and debugged when tied to an account.

 

Firewall Rules

Many LDAP servers are not publicly available and are protected by firewalls. If this is the case, in order to authenticate users with LDAP they will have to create a firewall exception that allows our servers access to the LDAP server. We designate a stable set of servers and their associated IP addresses to simplify these firewall exception rules (stable meaning they aren't spun down due to Automated Provisioning). Please ask your Customer Success Manager or Implementation Consultant to send you these IP addresses.

 

Configuring LDAP with Canvas

Attachments

    Outcomes