Aurelien Mansier

Configuring Okta (SAML) and Canvas Authentication

Blog Post created by Aurelien Mansier Employee on Jan 26, 2020

In my role as a Project Consultant, I frequently assist clients with configuring their authentication for Canvas. Because I have had several requests recently for assistance with Okta, I decided to put this resource together.

 

Prerequisites

  • Any user that needs to authenticate via Okta must already have a user account provisioned in Canvas.
  • The login ID field in Canvas must match the username field returned from Okta.
  • Access to the Okta Admin Console.
  • Admin access in your Canvas instance.

Configuring Okta with Canvas

To set up Okta as the identify provider for Canvas, use the following steps:

  1. From the Okta Dashboard, click Add Applications.

    Okta Dashboard

  2. Click the Create New App button.

    Create New App button

  3. Select SAML 2.0 and then click the Create button.

    Select SAML 2.0 and Create button

  4. Under General Settings, name the App and then click the Next button.



  5. Under SAML Settings, input https://YOURDOMAIN.instructure.com/login/saml as the Single sign on URL (ACS URL).

    Then check the option to Allow this app to request other SSO URLs. Copy and paste the Single sign on URL and then add 0 as the Index number.

    Click the + Add Another button and input https://YOURDOMAIN.beta.instructure.com/login/saml as the next Requestable SSO URL and add 2 as the Index number.

    Repeat the process to add https://YOURDOMAIN.test.instructure.com/login/saml and add 3 as the index number.

    Next, input http://YOURDOMAIN.instructure.com/saml2 as the Audience URI (SP Entity ID).

    Click the Show Advanced Settings link.

    SAML Settings

    NOTE: For vanity URLs, be sure to add https://YOURVANITYURL/login/saml as a Requestable SSO URL with an Index number of 4.

  6. For the Authentication context class, select X.509 Certificate.

    Advanced Settings

  7. Under Preview the SAML assertion generated from the information above, click the Next Button.

    Next button

  8. Under Help Okta Support understand how you configured this application, select I'm an Okta customer adding an internal app and check the option for This is an internal app that we have created.

    Then click the Finish button.

    Internal app setings

  9. Copy the Link Address for the Identity Provider metadata.

    Identity provider metadata

  10. In your Canvas instance, go to the account settings and click on Authentication. Then select SAML on the authentication service dropdown menu.



  11. Paste the Identity Provider metadata link address in the IdP Metadata URI box.



  12. Scroll to the bottom of the page and click the Save button. This will populate all the required fields for the configuration. Click the Save button again to finalize the process.

 

Additional Resources

For more information about configuring authentication for Canvas, please check out the following guides:

Outcomes