Showing results for 
Search instead for 
Did you mean: 

Google Authentication as SAML IdP

Google Authentication as SAML IdP

This article describes the process of configuring Google as an Identity Provider (IdP) ready to work with Canvas.

Authentication Terminology




Security Assertion Markup Language


Identity Provider.

The job of the IdP is to identify users based on credentials.  The IdP typically provides the login screen interface and presents information about the authenticated user to Service Providers after successful authentication.

ADFS is the Identity Provider.


Service Provider.

An SP is usually a website providing information, tools, reports, etc to the end user.  Canvas provides a learning environment to teachers, students, and admins and is therefore the Service Provider.

Note: An SP cannot authenticate against an IdP unless the IdP is known to the SP.  Likewise, an IdP will not send assertions to an SP that it does now know about.


Information about the SP or IdP.  This metadata is almost always provided in the form of XML.  The metadata about your Canvas instance is located at https://<yourcanvas> (replace <yourcanvas> with the first portion of your Canvas domain).


Single Sign On.

This is what happens when a user isn't required to log in to a second service because information about the authenticated user is passed to the service.


Single Logout.

When a user logs out of a service, some IdPs can subsequently log the user out of all other services the user has authenticated to. 

ADFS supports this but may occasionally experience issues such as preventing a successful logout. Users will be logged out of Canvas but may not be logged out of ADFS.


Username in Canvas terminology.

When information about an authenticated user is returned to Canvas, a user with a login_id matching the incoming data is looked for.


Unique ID of a user in Canvas.

Used to link a user to an outside system, often a Student Information System (SIS).


Student Information System


  • Any user that needs to authenticate via Google SAML must already have a user account provisioned in Canvas.
  • The login_id field in Canvas must match the selected field returned from Google.
  • Canvas does not automatically create user accounts from successful single-sign-ons. User accounts must either be created manually in the web interface or through the SIS import CSVs.
  • Your organization must be using Google Apps.
  • You must be able to login to the admin console for your organization.


NOTE: To complete the steps in this documentation, you will need to use your Production environment of Canvas. Testing Google SAML authentication will not work in Test or Beta.

Login Release Valve

You may lock yourself out of Canvas while you are working setup authentication.  If this happens, there is a way to log in to Canvas using local authentication.  Simply go to /login/canvas. For instance: http://<yourcanvasname> (This forces Canvas to display the local login form rather than redirecting to the SAML login page).

Configuration SSO App in Google

You will be in both the Google Apps admin console, as well as in Canvas, so have both sites open in different tabs.

  1. In Canvas, select Google SAML authentication by going to the Authentication tab on the left, and select “SAML” (rather than “Google”) from the drop-down menu on the right.
    Select SAML


  2. Log in to the Google Apps administration Console.
    Google Apps Administration Console
  3. Click the Apps option.
    Click Apps
  4. Click SAML Apps
    Click SAML apps
  1. Click the “+” icon in the bottom right
    Add Service_App
  2. Click the “Setup My Own Custom App” link
    Setup My Own Custom App


  3. You will need the information on this screen for configuring SAML with Canvas.
    1. Copy the Google “SSO URL” and paste it into the Canvas “Log On URL”
    2. Copy the Google “Entity ID” and paste it into the Canvas “IdP Entity ID”
    3. Download the link for Option 2 and save the metadata
    4. Click “Next”
      Idp Google
  4. Basic Information for your Custom App
    1. Enter “Canvas” for the “Application Name
    2. Optionally add an icon for your Canvas App
    3. Click “Next”
      Basic information for your Custom App


  5. Service Provider Details
    1. Enter https://<your_Canvas_URL>/login/saml for “ACS URL”
      1. (Ex:
    2. Enter http://<your_Canvas_URL>/saml2 for “Entity ID”
      1. (Ex:
      2. [Important: must be http:// NOT https://]
    3. Enter https://<your_Canvas_URL> for “Start URL”
      1. (Ex:
    4. Check the “Signed Response” checkbox
    5. Change “Name ID Format” to “Email”
    6. Click “Next”
      Service Provider Details
  1. Click Finish
    Attribute Mapping
  2. Click OK
    Setting up SSO for Canvas
  3. You have added the SAML App to Google Apps, but you also need to turn on the app for your users:
    1. Click on "EDIT SERVICE" in the upper-right corner
    2. Select “ON for everyone” and then click on "SAVE"
      On for Everyone

  1. If everything went well then your screen should look like this.
    Success Window
  2. Now you are ready to calculate the signing token fingerprint and configure Canvas.


Calculate the Fingerprint

  1. Open the metadata xml file (downloaded from the Google IdP Information page) in a text editor or using Google Chrome or Firefox.
  2. Copy the data contained between the <ds:X509Certificate>
  3. Calculate fingerprint using
    1. Type '-----BEGIN CERTIFICATE-----' on the first line (five dashes before and after must be included) and hit enter
    2. Paste the x509certificate starting on second line (Example below), leave the Algorithm as "sha1" and click "CALCULATE FINGERPRINT"
      Calculate Fingerprint

Configuration on Canvas Side

Note: Google SAML configurations do not need to be in first position. You just need to use a discovery URL when there are more than one method of authentication possible.

  1. Complete the configuration in Canvas:
    1. IdP Entity ID: Enter “Entity ID” from Google screen
    2. Log On URL: Enter “SSO URL” from Google screen
    3. Log Out URL: Enter “
    4. Certificate Fingerprint: Copy the formatted fingerprint calculated the Calculate the Fingerprint section.
    5. Login Attribute: Select “NameID”
    6. Identifier Format: Select “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”
    7. Message Signing: "RSA-SHA1"
    8. Click “Save”



These comments are posted to the global Canvas Community,

NOT your Canvas course.

  • Have a question about using Canvas? Visit the Q&A page.
  • Have an idea to improve Canvas? Visit the Idea Conversations space.
  • Need to reply to a course discussion? Log in to your Canvas course and add your comment there (Tip: Visit your school's website to log in to Canvas).
Version history
Revision #:
1 of 1
Last update:
‎08-07-2020 02:05 PM
Updated by: