Configuring Okta (SAML) and Canvas Authentication

Instructure
Instructure
0 0 568

In my role as a Project Consultant, I frequently assist clients with configuring their authentication for Canvas. Because I have had several requests recently for assistance with Okta, I decided to put this resource together.

Prerequisites

  • Any user that needs to authenticate via Okta must already have a user account provisioned in Canvas.
  • The login ID field in Canvas must match the username field returned from Okta.
  • Access to the Okta Admin Console.
  • Admin access in your Canvas instance.

Configuring Okta with Canvas

To set up Okta as the identify provider for Canvas, use the following steps:

  1. From the Okta Dashboard, click Add Applications.

    Okta Dashboard

  2. Click the Create New App button.

    Create New App button

  3. Select SAML 2.0 and then click the Create button.

    Select SAML 2.0 and Create button

  4. Under General Settings, name the App and then click the Next button.

    336356_Screen Shot 2020-01-26 at 12.53.34 PM.png

  5. Under SAML Settings, input https://YOURDOMAIN.instructure.com/login/saml as the Single sign on URL (ACS URL).

    Then check the option to Allow this app to request other SSO URLs. Copy and paste the Single sign on URL and then add 0 as the Index number.

    Click the + Add Another button and input https://YOURDOMAIN.beta.instructure.com/login/saml as the next Requestable SSO URL and add 2 as the Index number.

    Repeat the process to add https://YOURDOMAIN.test.instructure.com/login/saml and add 3 as the index number.

    Next, input http://YOURDOMAIN.instructure.com/saml2 as the Audience URI (SP Entity ID).

    Click the Show Advanced Settings link.

    SAML Settings

    NOTE: For vanity URLs, be sure to add https://YOURVANITYURL/login/saml as a Requestable SSO URL with an Index number of 4.

  6. For the Authentication context class, select X.509 Certificate.

    Advanced Settings

  7. Under Preview the SAML assertion generated from the information above, click the Next Button.

    Next button

  8. Under Help Okta Support understand how you configured this application, select I'm an Okta customer adding an internal app and check the option for This is an internal app that we have created.

    Then click the Finish button.

    Internal app setings

  9. Copy the Link Address for the Identity Provider metadata.

    Identity provider metadata

  10. In your Canvas instance, go to the account settings and click on Authentication. Then select SAML on the authentication service dropdown menu.

    336358_Screen Shot 2020-01-26 at 1.28.12 PM.png

  11. Paste the Identity Provider metadata link address in the IdP Metadata URI box.

    337005_Screen Shot 2020-01-26 at 1.45.26 PM copy.png

  12. Scroll to the bottom of the page and click the Save button. This will populate all the required fields for the configuration. Click the Save button again to finalize the process.

    336361_Screen Shot 2020-01-26 at 1.49.24 PM.png

Additional Resources

For more information about configuring authentication for Canvas, please check out the following guides: