|
Official Canvas Document |
 |
- Background
- Authentication Workflow
- Prerequisites
- Which TLS option should I select?
- Bind/Re-bind
- Firewall Rules
- Configuring LDAP with Canvas
Background
Single Sign On (SSO) is a functionality that many schools will configure during the implementation phase of transitioning to Canvas online with their institution. SSO provides many benefits, not the least being that after users sign in to one of the services at an institution they are automatically authenticated into any other service that uses SSO. The user is only required to remember one set of credentials.
LDAP represents a shared authentication methodology. It retains the benefit of remembering only a single username and password but a user must sign in to each service using that set of credentials.
When Instructure Canvas receives a successful identity assertion from any of its supported authentication integrations, it searches for a user 'login' that matches the value of the asserted identity. If it finds a matching login, it logs in the associated user account.
LDAP is used for authentication only. Adding a new account to an LDAP tree does not automatically create an account in Canvas.
This article describes the process of configuring and debugging ADFS authentication to work with Canvas.
Authentication Workflow
This is the typical workflow of LDAP once it is enabled.
During the login process:
- A user provides a username and password via the secure login page.
- Instructure Canvas authenticates to the specified LDAP server with the configured query account credentials.
- The provided username is substituted into the configured filter field and is combined with the configured base value to search for the user account in an LDAP query.
- We re-bind using the found user record above and the user provided password to authenticate the user.
- If authentication is successful, we look up the associated user in Canvas by matching the canvas user's login_id to the username provided when logging in.
- If the user is found, we log them in. Roles and permissions policies are dictated by enrollments within Canvas.
Prerequisites
- Host address of the LDAP server (ex: ldap.college.edu)
- Port of LDAP server
- Encrypted/Secure LDAP (unencrypted/standard LDAP is not supported)
- For information on which TLS option you should use (StartTLS or Simple TLS) please see the chart below this list. (No TLS is deprecated and should not be used)
- If you need assistance configuring encrypted/secure LDAP on your LDAP server please contact your authentication provider or a qualified IT professional.
- For information on which TLS option you should use (StartTLS or Simple TLS) please see the chart below this list. (No TLS is deprecated and should not be used)
- Base the LDAP base query string
- Filter the LDAP filter used to select subsets of the search (for example (sAMAccountName={{login}}) )
- Login ID Attribute: If the LDAP attribute to be matched in Canvas to the login_id is not the username the user provided, select the LDAP attribute here that should be used.
- Username the username for the query account
- Password for institution-created Instructure user for bind/re-bind
- Login label on the login form, this label will be given for the username field. Many institutions have specific branded names for institutional accounts. Some examples could include: U-Key, Username, Route Y ID, etc.
Which TLS option should I select?
| Is LDAP running on the LDAPS port (usually port 636)? | Is LDAP running on the normal LDAP port (port 389)? |
|---|---|
| Simple TLS | Start TLS |
Bind/Re-bind
Institutions should create an LDAP account for Canvas by Instructure. This makes it so that they do not have to allow unauthenticated search or query access to their LDAP servers. Authenticated searches can more easily be logged and debugged when tied to an account.
Firewall Rules
