AnsweredAssumed Answered

Configuring SSO SAML for AzureAD - passing login_id to Canvas

Question asked by Carol Shergold on Mar 23, 2020
Latest reply on Apr 1, 2020 by Carol Shergold
Hi all
We have been configuring the SSO SAML configuration in Canvas to point to our AzureAD as per the guidance and instructions found here:

https://community.canvaslms.com/docs/DOC-1402-configuring-azure-saml-and-canvas-authentication

The AzureAD side of things appears to be working and confirms successful login. However once the login process hands off to Canvas, we get the error message "No such account for user username@domain".  The usernames we are using for testing do exist in Canvas and our Canvas user accounts all have a login entry containing the account information it claims to not be able to find.

The Login attribute being used is "Name ID" as set in the instructions but our ADFS service uses "eduPersonPrincipalName" and works login into Canvas - but does not work for AzureAD into Canvas.
In addition to authentication via ADFS, some admin users also have a direct login using a manually created login and password. These manual authentication modes tend to use the friendly email address (c.shergold@sussex.ac.uk)
So for me, AzureAD is passing carols@sussex.ac.uk but actually when I look at my user record via an API call, my login_id in Canvas was set to c.shergold@sussex.ac.uk.
I edited my user settings so that the manual authentication method also was set to carols@sussex.ac.uk
Now I am able to authenticate via AzureAD
However, I have a colleague whose login_id is set to username@domain who is nonetheless unable to log in.
So this doesn't seem like a complete explanation although presumably it's playing a part.
Does anyone have any experience of these issues of mapping login values between AzureAD and Canvas?
Many thanks
Carol

Outcomes