AnsweredAssumed Answered

SAML for students, Canvas authentication for parents not working

Question asked by Marshall Chaney on Jun 12, 2017
Latest reply on Aug 29, 2017 by Marshall Chaney

Is anyone successfully using Google apps authentication for students with parents self-creating observer accounts via Canvas login? SAML works great for our domain users most of the time, but we're having several problems with parent accounts now.


In the Canvas Parent app, a parent would enter their information to create an account and then be taken to a Google authentication page (as expected) for their student. Entering the student’s information normally returns an "Error 403: app_not_configured_for_this_user" (which is incorrect, assuming Canvas is passing the proper user credentials to Google). However in my testing of the issue now for these case notes, I get a message “Unable to Create Account - There was an error while communicating with the server” when I hit the Create Account button.


If I choose “Log in with Canvas” from the parent app, I would expect to see Canvas authentication, but I’m instead directed to Google/SAML. This is incorrect for parents.


Via the web on multiple browsers, when a parent creates an account and is prompted for the Google login for their child, it either shows the Error 403, or just signs them in to Google apps and never comes back to Canvas to complete the account creation.


Specifically, the problem is when a self-signup user with Canvas authentication tries to create a parent account as an observer of a SAML-authenticated user.


If there is a fix for this, great - but it sounds like the problem is rooted in how Canvas prioritizes authentication. Instead of or in addition to primary/secondary authentication, I suggest they specify Staff/Student vs. Parent authentication. That way the Canvas app and our student login URL can all look to SAML and the Parent app and parent URL can use Canvas authentication exclusively. Even if that means I have to have parents use a separate SIS-upload username and password for their student (ie - not the SAML credentials), it would be better than the mess we’re in now where no parent can successfully create an account linked to a student.