How do I configure third-party authentication providers for a Canvas account?

Document created by Canvas Doc Team Employee on Apr 19, 2017Last modified by Canvas Doc Team Employee on Aug 5, 2017
Version 11Show Document
  • View in full screen mode

Canvas supports authentication with a variety of third-party identity providers, which can be configured in the Canvas interface. Each provider requires the admin to set an attribute to be associated with the account, such as a user ID, email, or login. Currently supported integrations include Facebook, Github, LinkedIn, Twitter, Google Apps, Microsoft (Office 365), Clever, CAS, LDAP, OpenID, and SAML. Some providers require custom components for configuration. All providers support Single Sign On (SSO) authentication.

Third-party authentication providers can be used in addition to Canvas authentication.

User Credentials

Once a provider has been saved in Canvas, the provider’s authentication login credentials must be added to each Canvas user’s account through SIS CSV files or the Authentication Providers API. (Currently there is no support for adding user credentials through the Canvas interface.) Each authentication provider supports specifically recognized parameters; some providers may recognize additional parameters. Unrecognized parameters are not supported.

To get additional help about authentication systems, including Single Sign On (SSO) support, view the Authentication documents in the Canvas Community Admin Group.

Just In Time Provisioning

As part of the authentication process, admins can apply Just in Time Provisioning, which tells Canvas to automatically create a user's accounts if one does not already exist. Currently when a user logs in to Canvas using a third-party authentication system, Canvas searches users in the account looking for a matching user parameter for that service. If a matching parameter is not found, Canvas returns the user to the authentication provider portal with a message the user could not be found. When Just in Time Provisioning (JIT) is enabled, Canvas automatically creates the user using an ID that matches the username used with the authentication provider.

JIT provisioning must be configured via API for the specific authentication provider (see the Authentication Providers API). It does not need to be configured for individual users via API or SIS.

Federated Attributes

As a complement to JIT provisioning, all authentication providers support federated attributes. When users log into Canvas, more information beyond just ID is passed to Canvas, and that information is associated with their existing user accounts. More information can be found in the Authentication Providers API.

Open Account

Open Account

In Global Navigation, click the Admin link [1], then click the name of the account [2].

Open Authentication

Open Authentication

In Account Navigation, click the Authentication link.

Choose Provider

Choose Provider

In the Authentication drop-down menu, select an authentication service.

Save Provider Data

Save Provider Data

Enter the data required by the service [1]. Some providers require custom components for configuration.

To enable Just in Time Provisioning, click the Just in Time Provisioning checkbox [2].

Set Federated Attributes

Set Federated Attributes

To use a federated attribute, select a Canvas provider attribute in the drop-down menu [1]. This is the attribute that you want to use in Canvas. Available attributes include display name, email, given name, integration ID, locale, name, sis user ID, sortable name, surname, and time zone.

Click the Add Attribute button [2].

Select Provider Attribute

In the Provider Attribute drop-down menu, choose the attribute value that will match the selected Canvas attribute. Available values include email, family name, given name, locale, name, and sub (subject identifier—a user ID commonly used with Open ID Connect, Google, and Microsoft specifications).

Note that not all values will exactly match the Canvas attribute. For instance, if you set email as an attribute in Canvas, the provider attribute value options also include email, meaning that the email address from the provider will also be updated for the email address in Canvas. However, some Canvas attributes may not align with the available provider attribute values.

Save Data

Save Data

Click the Save button.

Manage Provider

Manage Provider

To change the position of your authentication providers, click the position menu [1] and choose the placement number for the new position. Positions affect the Discovery URL when an account has configured SSO Settings.

To delete the provider, click the Delete button [2].

Remove Authentication

Remove All Authentication

To remove all previously configured authentication providers, click the Remove Authentication button.

Note: The remove button does not affect SSO Settings or Canvas authentication.

Confirm Removal

Confirm Removal

Removing all authentication methods may affect your students' ability to log in to Canvas. To confirm, click the OK button.

You are here
Table of Contents > Authentication > How do I configure third-party authentication providers for a Canvas account?

Attachments

    Outcomes