Nathan ( @Beehive )
I'm a slow typist and needed to test some things. I see you've taken a liking to Chris' solution, but I had already put a lot of work into this response, so I'll send it anyway.
There are some other approaches. Since the /login/canvas never appeared to students, it won't be a big problem getting them to switch over. However, it leaves the in-secure method available for them to use and you'll want to prevent that.
The approach that first came to mind is to assign random but secure passwords for all of the existing users -- except for admins so that they cannot use it. That's what we did when we created the accounts before we had SAML (and before the option to limit to specific authentication methods was available through a SIS import). This kept our students from using the Canvas login, but it kept it available as a backdoor. We still use the /login/canvas URL for some other parts of the college that don't use the Microsoft logins.
If a student stumbles across the /login/canvas page somehow, you'll want to keep them from using it. Hopefully no student goes to the trouble, but some might find that "My old password still works if I go to /login/canvas" and bookmark it.
I will say that this can be disruptive. We used to CAS before switching to Microsoft and many students (and staff) had bookmarked the CAS login rather than the main Canvas page. We switched to Microsoft Azure / SAML, but left the CAS up and running since there were other systems on campus that used it. When the CAS server stopped working, we had people who couldn't get to Canvas because they had bookmarked the wrong page.
I would send out an announcement in Canvas that the old login page is going away and going to stop working before you make any changes.
If possible, make the change when it would least impact students. Doing it during finals week is not a good choice.
You can help people make the transition. Here are three techniques in order from least invasive to most extreme.
- Modify the login page through the Theme Editor
- Modify the login page using JavaScript
- Remove the Canvas login
You can modify the Canvas Login page by going to the Admin > Themes and using the theme editor. While you don't get to change the text, you could select a background image that contains instructions that this method has been discontinued and direct them to the proper way to login. Since it's a background image, there's the accessibility issue. It's not perfect, but it can ease the transition and provide a reminder for those who missed the many emails you sent them telling them of the upcoming change.
You could also use custom JavaScript to check for the pathname /login/canvas and then modify the page. Remove most of what is there and then add a note explaining what the student needs to do.
What you might do is check for the presence of a querystring. If the pathname is correct and the querystring is empty, then give your message. If the pathname is correct and a querystring exists -- you could even set it to a specific string -- then don't make the changes to the page.
For example,
- /login/canvas gets modified
- /login/canvas?login does not get modified and delivers the original page for your backdoor.
Here's a snippet to get you started. There are two options. The first notifies them and the second redirects them.
(function() {
'use strict';
if (window.location.pathname.startsWith('/login/canvas') && window.location.search === '') {
// Dynamically generate the URL for the main login page
// You could hardcode it, but this allows beta and test to work.
const mainLogin = `${window.location.protocol}//${window.location.host}`;
// option 1 - replace existing content with message and link
const content = document.getElementById('content');
content.innerHTML = `<p>This login page no longer works. Go to the <a href="${mainLogin}">main Canvas page</a> to login.</p>`;
// option 2 - redirect to main page
// window.location.replace(mainLogin);
}
})();
You could allow the admin bypass by modifying the check for something like window.location.search !== '?login'
I'm not a fan of innerHTML and try to avoid it. You could use content.replaceChildren() and then content.appendChild() after creating the elements. However, simpler is often better and since it's just one of many options, I didn't want to overcomplicate things.
If you take this approach, definitely test it in your beta instance first. Otherwise, a slipup could disable your entire Canvas site.
Note that you will still have to change passwords or do something. There's nothing preventing a student (or someone else) from discovering that if you put query string it will let you in.
The extreme option is to eliminate the backdoor completely. I've been a Canvas Admin for 12 years and have rarely had to use the Canvas login because my main one stopped. Mostly it was when our college network has having issues and CAS wasn't available. Since we've switched to Microsoft for logins (I think it was about 4 years ago), I don't remember using it all.
You could delete the Canvas login option under Admin > Authentication. This removes it for everyone, even the backdoor for admins. Make sure your Microsoft logins are working first before you do this. This could be a temporary thing. Once everyone stops trying to use the Canvas login (yes, I know that is no guarantee), you could turn it back on for the admin to have their backdoor.
All of these approaches are to make it harder for students to use the Canvas login. Ultimately, you'll need to change the passwords or take the approach that @chriscas suggested.
