AnsweredAssumed Answered

openid_connect and Canvas users

Question asked by Peter Heinemann on Nov 27, 2018
Latest reply on Nov 27, 2018 by Kona Jones

I'm setting up openid_connect as an authentication method.  I'm confused, however, about what just-in-time provisioning actually does when it creates a Canvas user record.

 

Scenario 1:

- no user record exists in Canvas nor in the external Openid Connect IdP

- external OpenID Connect IdP configured as a provider (2nd position)

- just-in-time provisioning enabled in Canvas

- sign up (create) a user record in the external IdP.  

a new user record is added in canvas and login is fine.

 

Scenario 2:

- record exists in Canvas

- just-in-time provisioning is disabled in Canvas

- record does not exist in the Openid Connect IdP

a new user record is created in the IdP using information identical to that in the Canvas record, but Canvas returns "Canvas doesn't have an account for user"

 

Scenario 3:

- record exists in Canvas

- just-in-time provisioning is enabled in Canvas

- record does not exist in the Openid Connect IdP

a new user record is created in the Idp and in Canvas, but they appear identical.

 

pre-existing record; this will fail login.

{
"login_id": "pheinemann99@gmail.com",
"id": 2732,
"name": "pheinemann99@gmail.com",
"created_at": "2018-11-27T13:53:17-05:00",
"sortable_name": "pheinemann99@gmail.com",
"short_name": "pheinemann99@gmail.com",
"sis_user_id": null,
"integration_id": null,
"sis_import_id": null
}

 

post-IdP sign up:

[
{
"login_id": "pheinemann99@gmail.com",
"id": 2732,
"name": "pheinemann99@gmail.com",
"created_at": "2018-11-27T13:53:17-05:00",
"sortable_name": "pheinemann99@gmail.com",
"short_name": "pheinemann99@gmail.com",
"sis_user_id": null,
"integration_id": null,
"sis_import_id": null
},
{
"login_id": "pheinemann99@gmail.com",
"id": 2733,
"name": "pheinemann99@gmail.com",
"created_at": "2018-11-27T14:34:56-05:00",
"sortable_name": "pheinemann99@gmail.com",
"short_name": "pheinemann99@gmail.com",
"sis_user_id": null,
"integration_id": null,
"sis_import_id": null
}
]

the second record will now permit login after external authentication; what is the difference that permits login?  How do you map an external IdP record to an existing one?

 

I'm missing something here, but can't seem to find it.

Thanks,

 

Peter

Outcomes