cancel
Showing results for 
Search instead for 
Did you mean: 

Updating IdP SAML Fingerprint Inside Canvas (SAML Cert Rotation)

Updating IdP SAML Fingerprint Inside Canvas (SAML Cert Rotation)

Updating Canvas Auth Config Fingerprint

If your SAML Certificate is changing in your IDP (or has changed and you've lost access to Canvas via SSO) there are a couple of ways that you can easily ensure that users don't lose access to Canvas (or restore access).

  1. Ensure that a Root Account Canvas Admin has a local Canvas login to update your authentication configs if you ever lose SSO access. (<canvas_domain>/login/canvas)
  2. Check your SAML configuration page in Canvas. If you have an IDP Metadata URI populated in your Canvas config, Canvas will auto pull new certificates and calculate both the old and new fingerprints nightly. 
    1. jperkins_0-1608745748754.png
    2. Multiple Fingerprint support is indicated by fingerprints separated by spaces in the Canvas UI. jperkins_1-1608745965690.png
  3. If your IDP Metadata URI field isn't populated it may be because the auto parsing of the fields didn't correctly populate your metadata fields. 
  4. You can populate the Certificate field manually with either a formatted or non-formatted fingerprint matching your message signing encryption method in Canvas. Use SHA1 for fingerprint calculation if your Message Signing is "Not Signed". 
    1. jperkins_2-1608746116648.png
      1. If you are unsure of your fingerprint you can calculate it by following the instructions below.

 

How to Calculate a SAML Fingerprint

  1. Open your IdP metadata xml file in a text editor or using Google Chrome or Firefox.
    1. If you've lost access to Canvas, use the SAML debugger ("Start Debugger" on the Canvas SAML config) and initiate a login.
      1. If Validation Error = "no trusted signing key found" then you need to update your fingerprint.
      2. Scroll down to IdP Login Response Decrypted and you can view the <X509Certificate> and follow the next steps.
        1. debugging_important.png
  2. Copy the data contained between the <ds:X509Certificate> (or <X509Certificate> in debugger)
  3. Calculate fingerprint using https://www.samltool.com/fingerprint.php
    1. Type '-----BEGIN CERTIFICATE-----' on the first line (five dashes before and after must be included) and hit enter
    2. Paste the x509certificate starting on second line (Example below), have the Algorithm matching your Signing config as identified above, and click "CALCULATE FINGERPRINT".

      Calculate Fingerprint.png