Skip to main content
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring ClassLink (SAML) and Canvas Authentication

Configuring ClassLink (SAML) and Canvas Authentication

    Official Canvas Document

Canvas + Logo transparent (WHITE)- 300px.png

 

This article describes the process of configuring ClassLink as an Identity Provider (IdP) ready to work with Canvas.

Authentication Terminology

Term

Definition

IdP

Identity Provider

The job of the IdP is to identify users based on credentials. The IdP typically provides the login screen interface and presents information about the authenticated user to service providers after successful authentication.

ClassLink is the Identity Provider.

login_id

Username in Canvas terminology.

When information about an authenticated user is returned to Canvas, a user with a login_id matching the incoming data is looked for.

Metadata

Information about the SP or IdP.  This metadata is almost always provided in the form of XML.  The metadata about your Canvas instance is located at http://<yourcanvas>.instructure.com/saml2 (replace <yourcanvas> with the first portion of your Canvas domain).

SAML

Security Assertion Markup Language

SIS Student Information System
SIS ID

Unique ID of a user in Canvas.

Used to link a user to an outside system, often a Student Information System (SIS).

SLO

Single Logout

When a user logs out of a service, some IdPs can subsequently log the user out of all other services the user has authenticated to. 

SP

Service Provider

An SP is usually a website providing information, tools, reports, etc to the end user.  Canvas provides a learning environment to teachers, students, and admins and is, therefore, the Service Provider.

Note: An SP cannot authenticate against an IdP unless the IdP is known to the SP.  Likewise, an IdP will not send assertions to an SP that it does now know about.

SSO

Single Sign-On

This is what happens when a user isn't required to log in to a second service because information about the authenticated user is passed to the service.

 

Pre-requisites

  • Canvas does not automatically create user accounts from successful single-sign-ons. User accounts must either be created manually in the web interface or through the SIS import CSVs.

  • The login_id field in Canvas must match the selected field returned from ClassLink.

  • Your organization must have a ClassLink subscription.

  • You must be able to login to the admin console for your organization.

Login Release Valve

You may accidentally lock yourself out of Canvas while you are setting up authentication. If this happens, you can log in to Canvas using local authentication. Simply go to http://<yourcanvasname>.instructure.com/login/canvas (This forces Canvas to display the local login form rather than redirecting to the SAML login page.)

Configure ClassLink SAML

Audience: ClassLink Administrator

Reference: Canvas SAML – ClassLink

 

1. Launch the ClassLink IDP Console

After you log in to the IDP Console, click on COPY EXISTING from the top of the navigation menu. This will present a list of pre-configured SAML connections.

 

2. Copy the Canvas (RosterServer required) template from the library.

 

3. Enter Service Provider Entity ID

To do this, click Edit.

 
      Enter Canvas SP Entity ID: ex: http://YOURSUBDOMAIN.instructure.com/saml2
351879_Service_Provider_ClassLink.png

While editing the SAML app, locate the Login URL field then input your LaunchPad custom login URL.

 

classlink_saml_4.png

 

Not sure what your custom login URL is? The login page URL is located in the ClassLink Management Console under Settings>Login Page. See below.

 

classlink_saml_5.png

Once you've completed updating the SAML settings, scroll down to save.

 

4. Copy IDP Metadata

You will now see the Canvas SAML connector in your list of applications. Copy the IDP Metadata URL and enter this in Canvas (Configure Canvas Authentication).

Configure Canvas Authentication


The following steps take place in Canvas. 

1. In a new browser tab, log in to your Canvas instance as an administrator. From the Admin tile, click Authentication

 

Authentication

 

 

2. Click on the Choose an Authentication drop-down, then select the SAML option

 

SAML Identity Provider

 

 

3. On the SAML configuration page, paste the Identity Provider metadata URL into the IdP Metadata URI field.

4. Click Save.

 

351880_metadata_Canvas.png

 

4.  The page will reload with the values for IdP Entity ID, Log On URL, Log Out URL and Certificate Fingerprint automatically filled

 

5. Test the configuration. Open a new incognito window, and go to

https://<YOURDOMAIN>.instructure.com/login/saml

 

If the test is successful, you are prompted to enter your ClassLink credentials. You are then be logged in and redirected to your Canvas instance.

 

 

Note: Canvas does not automatically create user accounts from successful single-sign-ons. User accounts must either be created manually in the web interface or through the SIS import CSVs.

 

6. Return to the Authentication screen. To make SAML the primary method for authentication, navigate to the bottom of the SAML section, and change Position to 1.
 
7. Click Save.
 
Notes:
  • Each Canvas account comes with a test and beta environment. You will want to test your authentication setup in the test area first before moving to production. The process for configuring SAML for a test or beta site is similar to the process described in this document. 
  • The Canvas metadata contains AssertionConsumerService URLs for each of the production, test, and beta environments. With a single entity ID, there may be some confusion around how to configure the IdP to work for these three seemingly separate areas. You should consider all three together as a single Service Provider with a single Entity ID but three possible AssertionConsumerService URLs.
Was this article helpful? Yes No


Have a question about Canvas? Ask in the Q&A forum:
Embed this guide in your Canvas course:

Note: You can only embed guides in Canvas courses. Embedding on other sites is not supported.