In my role as a Project Consultant, I frequently assist clients with configuring their authentication for Canvas. Because I have had several requests recently for assistance with Okta, I decided to put this resource together.
- Any user that needs to authenticate via Okta must already have a user account provisioned in Canvas.
- The login ID field in Canvas must match the username field returned from Okta.
- Access to the Okta Admin Console.
- Admin access in your Canvas instance.
Configuring Okta with Canvas
To set up Okta as the identify provider for Canvas, use the following steps:
- From the Okta Dashboard, click Add Applications.
- Click the Create New App button.
- Select SAML 2.0 and then click the Create button.
- Under General Settings, name the App and then click the Next button.
- Under SAML Settings, input https://YOURDOMAIN.instructure.com/login/saml as the Single sign on URL (ACS URL).
Then check the option to Allow this app to request other SSO URLs. Copy and paste the Single sign on URL and then add 0 as the Index number.
Click the + Add Another button and input https://YOURDOMAIN.beta.instructure.com/login/saml as the next Requestable SSO URL and add 2 as the Index number.
Repeat the process to add https://YOURDOMAIN.test.instructure.com/login/saml and add 3 as the index number.
Next, input http://YOURDOMAIN.instructure.com/saml2 as the Audience URI (SP Entity ID).
Click the Show Advanced Settings link.
NOTE: For vanity URLs, be sure to add https://YOURVANITYURL/login/saml as a Requestable SSO URL with an Index number of 4.
- For the Authentication context class, select X.509 Certificate.
- Under Preview the SAML assertion generated from the information above, click the Next Button.
- Under Help Okta Support understand how you configured this application, select I'm an Okta customer adding an internal app and check the option for This is an internal app that we have created.
Then click the Finish button.
- Copy the Link Address for the Identity Provider metadata.
- In your Canvas instance, go to the account settings and click on Authentication. Then select SAML on the authentication service dropdown menu.
- Paste the Identity Provider metadata link address in the IdP Metadata URI box.
- Scroll to the bottom of the page and click the Save button. This will populate all the required fields for the configuration. Click the Save button again to finalize the process.
For more information about configuring authentication for Canvas, please check out the following guides: