cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring Okta (SAML) and Canvas Authentication

Configuring Okta (SAML) and Canvas Authentication

    Official Canvas Document

 

 

Pre-requisites

  • Canvas does not automatically create user accounts from successful Single sign-ons (SSO). User accounts must either be created manually in the web interface or through the SIS import CSVs.
  • The login_id field in Canvas must match the selected field returned from Okta.
  • Your organisation must have an Okta subscription.
  • You must be able to login to the Okta admin console for your organisation.

 

Login Release Valve

You may accidentally lock yourself out of Canvas while you are setting up authentication. If this happens, you can log in to Canvas using local authentication. Simply go to; 

This forces Canvas to display the local login form, rather than redirecting to the SAML login page.

Configure Okta

To configure Canvas authentication through Okta, you will need to create a SAML 2.0 application integration.

  1. As an Okta admin, access the Add Application menu. Click the Create New App button

    okta1.png

     

  2. In the Create a New Application Integration window, select:

    Platform: Web
    Sign on method: SAML 2.0

    Then click the Create button

okta2.png

 

            3. Enter an app name. You may also upload a logo (optional) and configure app visibility per your organization’s preferences. Click the Next button

okta3.png

 

 

            4.   Configure SAML settings:

                  Single sign-on URL: https://<YOURDOMAIN>.instructure.com/login/saml

                  Requestable SSO URLs (configure your Canvas Production, Test, and Beta environments)

 

                  https://<YOURDOMAIN>.instructure.com/login/saml
                  Index: 0

 

                  https://<YOURDOMAIN>.test.instructure.com/login/saml
                  Index: 1

 

                  https://<YOURDOMAIN>.beta.instructure.com/login/saml
                  Index: 2

 

                  Audience URI (SP Entity ID): http://<YOURDOMAIN>.instructure.com/saml2
                  (Note: use HTTP, not HTTPS in this field)

 

                  Click the Next button

               

okta4.png

 okta5.png

 

okta6.png

 

            5. Select the I'm an Okta customer adding an internal app option. Then click the Finish button

                          okta7.png

 

6. On the summary screen, right-click Identity Provider metadata and copy the URL.

okta8.png

 

 

Configure Canvas Authentication


The following steps take place in Canvas. 

1. In a new browser tab, log in to your Canvas instance as an administrator. From the Admin tile, click Authentication

okta9.png

 

 

2. Click on the Choose an Authentication drop-down, then select the SAML option

okta10.png

 

 

3. On the SAML configuration page, paste the Identity Provider metadata URL into the IdP Metadata URI field. Click Save

okta11.png

 

4.  The page will reload with the values for IdP Entity ID, Log On URL, Log Out URL and Certificate Fingerprint automatically filled

 

5. Test the configuration. Open a new incognito window, and go to

https://<YOURDOMAIN>.instructure.com/login/saml

 

If successful, you’ll be prompted to enter your Okta email address and password. You will then be logged in and redirected to your Canvas instance.

 

Note: Canvas does not automatically create user accounts from successful single-sign-ons. User accounts must either be created manually in the web interface or through the SIS import CSVs.

6. Return to the Authentication screen. To make SAML the primary method for authentication, navigate to the bottom of the SAML section, and change Position to 1. Click Save