Configuring LDAP and Canvas Authentication

Document created by Canvas Doc Team Employee on Apr 14, 2015Last modified by Mike Cotterman on Nov 7, 2017
Version 12Show Document
  • View in full screen mode

    Official Canvas Document

Canvas + Logo transparent (WHITE)- 300px.png

 

Background

Single Sign On (SSO) is a functionality that many schools will configure during the implementation phase of transitioning to Canvas online with their institution. SSO provides many benefits, not the least being that after users sign in to one of the services at an institution they are automatically authenticated into any other service that uses SSO. The user is only required to remember one set of credentials.

 

LDAP represents a shared authentication methodology. It retains the benefit of remembering only a single username and password but a user must sign in to each service using that set of credentials.

 

When Instructure Canvas receives a successful identity assertion from any of its supported authentication integrations, it searches for a user 'login' that matches the value of the asserted identity. If it finds a matching login, it logs in the associated user account.

 

LDAP is used for authentication only. Adding a new account to an LDAP tree does not automatically create an account in Canvas.

 

This article describes the process of configuring and debugging ADFS authentication to work with Canvas.

 

Authentication Workflow

 

This is the typical workflow of LDAP once it is enabled.

 

During the login process:

  1. A user provides a username and password via the secure login page.
  2. Instructure Canvas authenticates to the specified LDAP server with the configured query account credentials.
  3. The provided username is substituted into the configured filter field and is combined with the configured base value to search for the user account in an LDAP query.
  4. We re-bind using the found user record above and the user provided password to authenticate the user.
  5. If authentication is successful, we look up the associated user in Canvas by matching the canvas user's login_id to the username provided when logging in.
  6. If the user is found, we log them in. Roles and permissions policies are dictated by enrollments within Canvas.

 

Prerequisites

In order to set up an LDAP integration in Canvas you need to know following information:
  • Host address of the LDAP server (ex: ldap.college.edu)
  • Port of LDAP server
  • Encrypted/Secure LDAP (unencrypted/standard LDAP is not supported)
    • For information on which TLS option you should use (StartTLS or Simple TLS) please see the chart below this list. (No TLS is deprecated and should not be used)
    • If you need assistance configuring encrypted/secure LDAP on your LDAP server please contact your authentication provider or a qualified IT professional.
  • Base the LDAP base query string
  • Filter the LDAP filter used to select subsets of the search (for example (sAMAccountName={{login}}) )
  • Login ID Attribute: If the LDAP attribute to be matched in Canvas to the login_id is not the username the user provided, select the LDAP attribute here that should be used.
  • Username the username for the query account
  • Password for institution-created Instructure user for bind/re-bind
  • Login label on the login form, this label will be given for the username field. Many institutions have specific branded names for institutional accounts. Some examples could include: U-Key, Username, Route Y ID, etc.

 

Which TLS option should I select?

Is LDAP running on the LDAPS port (usually port 636)?Is LDAP running on the normal LDAP port (port 389)?
Simple TLSStart TLS

 

Bind/Re-bind

Institutions should create an LDAP account for Canvas by Instructure. This makes it so that they do not have to allow unauthenticated search or query access to their LDAP servers. Authenticated searches can more easily be logged and debugged when tied to an account.

 

Firewall Rules

Many LDAP servers are not publicly available and are protected by firewalls. In this is the case your IT department will need to allow Canvas to communicate with those LDAP server before users can authenticate against your LDAP server. This will require the creation of a firewall exception/rule that allows our servers access to the LDAP server. We designate a stable set of IP addresses to simplify these firewall exception rules (stable meaning they aren't spun down due to Automated Provisioning). Please ask your Customer Success Manager or Implementation Consultant to send you these IP addresses.

 

Configuring LDAP with Canvas

1 person found this helpful

Attachments

    Outcomes