Community help

jpastorek · ‎04-01-2025

I am looking to add an option for users to log in with their Google account, and I am confused. What is the difference between adding Google as an Identity Provider and setting up Google SAML?

I set up the Google one and tested it in our test instance, but it couldn't authenticate me even though I used the email/login I use for Canvas. I can't find anything in the documentation explaining how to get Canvas to sync.

Error: Canvas doesn't have an account for user: (a bunch of numbers)

melodyc_lam · ‎04-02-2025

@jpastorek This is how I understand the Canvas SSO methods -- I invite others to chime in if they have other insights. For more resources, see the resources linked below for documentation and some extra help. Also, this is pretty long, so apologies for the small essay.

Basically, Canvas supports two types of SSO -- Identity Provider (IdP) and Service Provider SSO.

IdP SSO allows someone to log into a common Identity Provider (like Active Directory, Google, or ClassLink/Clever) and then click on a button or link to log into Canvas. My institution's SSO is set up this way. The link that's given (usually /login/saml/XXX) is the one that will trigger the login process and is usually linked somewhere like on a dashboard or a webpage.

Service Provider SSO allows someone to go to the Canvas login page, click on the Google (or other service) button, then let Google handle the connection to the identity provider. (Most online services have Service Provider SSO, if you see a "Sign in with Google" button, that's Service Provider SSO). This is good if you have people go to the main login (/login/canvas) and then have people click on Google to start logging in instead of having to type in their username and password.

Which one you choose depends on how you have your systems setup and how your IT admins want users to login. We don't use Service Provider SSO for Canvas, because while we have the /login/canvas endpoint for logging in, that is only for admins; we require our staff and students to go through the IdP to login, since our user accounts in Canvas do not have passwords. The IdP handles authentication. We also have two IdP for backup (if one of the IdP methods is offline or has an issue we can log in with the other and still get to Canvas).

In your particular case with the inability to login, you're probably not be able to log in because in Canvas, you need to have whatever authentication method you have set up send something that matches a login on the user page (otherwise, Canvas can't find the user that needs to log in!) You may need to flip the login attribute to another option.

For Google IdP we have it set up to match against the user's email. To add a login to a user page, see these instructions (but you don't need to setup a password).

Resources:

Google SAML setup (Canvas Documentation)

Canvas LMS cloud app (Google Documentation)

IdP vs Service Provider SSO overview

jpastorek · ‎04-02-2025

Thank you for this info!

I have already tested both methods in our xxx.test.instructure.com instance, and both were unsuccessful.

IdP SSO: I followed the SAML steps perfectly and I run the test in Google and it works. Then I navigate to the /login/saml and put in my credentials and it says the app isn't turned on for the user, even though I have confirmed it's been turned on.

SP SSO: To make the transition easier, I'd prefer to use the login with Google button since our students and teachers already go to the Canvas login page. I tested that with my own account and the error is it can't find the user with a long string of numbers. Not sure why it didn't look me up with my email. There isn't any documentation (that I can find) regarding troubleshooting this method, however.

I've been looking into Clever to tie all of our logins into one area, so maybe instead of using Google to get into Clever, I should use Clever to get into Google along with all our other apps and textbooks. Especially since it's free!

melodyc_lam · ‎04-02-2025

@jpastorek So you may want to check the Google setup using the instructions that are from Google (the 2nd link in my post) -- it looks like you may not have turned on the app in the correct Org Unit.

Did you flip the login attribute on the Service Provider flow to be sending/authenticating via email? That's the only thing I can see on my side when I setup a SP flow in beta (all I see is sub and email as options).

There's also generic SAML troubleshooting here from Google that may help as well.

Here's some SAML debugger tips from Canvas.

Otherwise, I would potentially contact Canvas support and see what they can see and find.

jpastorek · ‎04-02-2025

Weird thing is I turned it on for the whole domain: all users. Not sure what the problem is.

For the IdP, Google recommends to have a dedicated publicly accessible file server to serve the metadata file. Where does your school host that (if you do that)?

I just flipped the SP flow to authenticate based on email, and the error says that Canvas doesn't have a user with my email address, even though I have my email and login both set as my email address.

Log in with Google

Admin

Turnitin Speedgrader

Forwarding/copying an inbox message containing lat...

Managing the Microsoft Education Integration in Ca...

Why are instructions and quiz_settings null in the...

SpeedGrader update not very useful

Viewing Posted Announcements

Turnitin Speedgrader

(Admin) Inactive Student in SIS returning to Activ...

How to submit an idea

Too Many Clicks!!!

You're signed out

Log in with Google

Community help

View our top guides and resources: