Community

ward_michael · ‎09-18-2019

When using LDAP authentication with Canvas, why does the logout redirect URL use the local /login/canvas redirect instead of the /login/ldap or better not use any hard coded path and just use the root level domain url which would by default redirect to whatever we set as the default authentication?

This is a bug. Having the logout redirect hard coded to /local/canvas causes our students and staff after logging out to get an error saying invalid username or password because we do not set local passwords in Canvas. Can this be fixed by Instructure since there is no setting for me as an admin to set a logout web page for LDAP?

robotcars · ‎09-18-2019

Ours redirects to /login/ldap when logging out. Looking at 'Authentication', I do not see any way to control this behavior. I would check with Canvas Support and file a ticket.

View solution in original post

robotcars · ‎09-18-2019

Ours redirects to /login/ldap when logging out. Looking at 'Authentication', I do not see any way to control this behavior. I would check with Canvas Support and file a ticket.

ward_michael · ‎09-18-2019

Interesting. I actually called Instructure Support before creating the initial post here and was told this incorrect redirect could not be changed. Perhaps I need another technical person at Instructure that may know how to configure this for us then. Perhaps it is a server setting that we need an Instructure admin to set for us?

ward_michael · ‎09-18-2019

Just to be clear, I have another question for you Robert Carroll.

Based on your profile I think your Canvas instance is this one, correct?

https://ccsd.instructure.com/login/ldap

So when a user after logging in, clicks on the Account link on the main global navigation and clicks the Logout button, then it will redirect them to the same above LDAP URL, correct? It does not redirect them to https://ccsd.instructure.com/login/canvas link instead? Ideally, the logout functionality should just go to the root level https://ccsd.instructure.com/ so then it would redirect to whatever is set as the default authentication login page (in your case, the ldap path).

We actually typically use Shibboleth/SAML authentication which communicates with our California state OpenCCC system but they had an issue today so I had switched temporarily to LDAP but then noticed the logout redirect looked incorrect. I just wanted to get that fixed just in case we need to use LDAP temporarily in the future.

robotcars · ‎09-19-2019

Yes, the logout goes to /login/ldap.

You might test this, but /login/canvas and the default /, first try a Canvas authentication and then try against the authentication provider. I am able to set the url to /login/canvas and use my auth/provider credentials, not my Canvas credentials.

There is an option at the bottom of Authentication, check these out and see if they make a difference. I'm heading to the dentist so no time to test on beta.

https://community.canvaslms.com/docs/DOC-10796-4214252283

ward_michael · ‎09-19-2019

Oh yes! I forgot that the LDAP and local Canvas authentication both support fall-through (or fallback) authentication attempts where if the authentication fails on the primary then it tries the other providers. SAML, however, does not appear to support fall-through authentication.

I tested this by setting my local Canvas password different than my LDAP password.

------------------------------------

* When SAML is Position 1, LDAP Position 2, Canvas Position 3, I can log in with SAML (it uses LDAP password) but if I try my local password it just fails stuck on the SAML login page.

* When LDAP is Position 1, SAML Position 2, Canvas Position 3, I can log in with both my LDAP AND my local password so LDAP authentication supports fall-through (or fallback) authentication but must be skipping SAML otherwise the local password would get stuck at the SAML authentication.

* When Canvas is Position 1, SAML Position 2, LDAP Position 3, I can log in with both my LDAP AND my local password so the local Canvas authentication supports fall-through (or fallback) authentication but must be skipping SAML as well.

------------------------------------

So at least our students and instructors should still be able to log into Canvas when LDAP is primary but the Logout redirects to the local Canvas URL.

It still does not look technically correct for the logout but functionally due to the fallback that LDAP supports then the login should still work.

Instructure Support (first level) said they checked with their next level support and that it was default when logging out for it to redirect to /login/canvas and they did not see a way to update this from their end. They believe it is a setting made on our institution LDAP end. I sent them a link to this discussion to point out another Canvas institution appears to have been able to redirect the logout to /login/ldap (or maybe just to the root which would auto redirect to that as the default).

Did your institution configure something on your LDAP side to make Canvas redirect upon Logout to the /login/ldap path? I am checking with my Network guy on this but I tend to think this is a setting on Instructure Canvas side but have no idea since it is a black box for us. I wonder if an Instructure sys admin or certain engineer would be more familiar with this but getting a hold of them is the challenge.

jsavage2 · ‎09-19-2019

Hi Michael,

This sounds like you may need to reach out to your TSM. What you describe as the ideal behavior is, in fact, pretty close what the docs say should happen and what I've always seen on our instances.

After logout, users come back as unknown users and should get directed to whatever the default login is, or the discovery page if you have one.

If you have LDAP in position 1, they should go to LDAP, if you have SAML they should go to SAML, etc. If you bumped LDAP up to position 1 today, they should get LDAP.

The only caveat is for auth types that support logout redirect. With SAML, for instance, users can optionally get sent back to SSO on logout, and then redirected to wherever the provider wants to send them.

ward_michael · ‎09-19-2019

Hi Jay,

Yes, I think I may need to contact our Customer Success Managers.

Since Robert Carroll has his institution's Canvas logout correctly going to /login/ldap when using LDAP with Canvas then ours should be able to redirect to that as well. I just need to narrow down whether this is a setting on our end with our LDAP server configuration or if it is an Instructure server configuration that we need like one of their sys admins to update for our Canvas environment since there does not appear to be any setting from the Canvas admin web pages that I have access for Authentication.

Fortunately, the SAML issue our California state was having was fixed so we are back on SAML as our primary. But in case an issue arises again in the future then would like our Canvas LDAP authentication to behave as expected even though it appears the fallback seems to keep things functioning by ignoring the failed local Canvas login attempt.

Yes, we like the Log Out URL configuration setting on our SAML so we can specify where we want users to be redirected upon logout. I wish Canvas also had that configuration setting for LDAP so I could input what path I want for logout but it does not.

Community

Have a Canvas Question?

Have a Mastery Question?

Have an Elevate Question?

Have an Impact Question?

BUG: LDAP logout incorrectly goes to local /login/canvas path

Valid state from API? Submission not late or missi...

OAuth2 Login force specific Authentication Provide...

Potential Bug in Canvas Live Events

Canvas Access Token keeps expiring after calling S...

User Licensing - improvements