Versions Compared

Old Version 4

changes.mady.by.user Michael Grady

Saved on

compared with

New Version 5

changes.mady.by.user Michael Grady

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

DRAFT: The following is an example using the configuration values that were filled in for CCSF's integration with Canvas. And this document currently illustrates configuring your Canvas site to go straight to your college/district IdP. We'll be updating this document to instead illustrate going to your college/district IdP throught the CCC IdP Proxy instead. That will change  the:

  •  IdP entityID:  this will become the Proxy IdP entityID, not the college one
  • Log On URL: this will become a URL that goes to the IdP Proxy SSO endpoint, and with a ?source= query argument identifying the college/district IdP to then go to
  • Certificate fingerprint: this will become the certificate fingerprint of the IdP Proxy signing certificate (we will give you the specific value to fill in, it will be he same for everyone)
  • Note: the Logout URL, if you want the user logged out of your IdP after logging out of Canvas, will be same as below. The IdP Proxy will not keep a session, so you just have Canvas send the user to your IdP's Logout endpoint.

 

Each college using Canvas has one or two people who have been established as "Canvas Administrators" for that college. The person(s) in that role have access to their Canvas site with "administrative privileges", including being able to configure how authentication is done for their Canvas site. That is the person who has access to "turn on" SAML authentication for the college site, and fill in the needed info for that to work.

...

That will bring you to the main "SAML configuration form", and here is a guide to what to fill in for each of the form fields.

 

 

* IdP entityID:  https://idp.ccsf.edu/idp/shibboleth
    Notes: this is the value of the 'idp.entityID=' property in the IdP's conf/idp.properties file. And in your IdP's metadata.

* Log On URL: https://idp.ccsf.edu/idp/profile/SAML2/Redirect/SSO

...

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ccsf.edu/idp/profile/SAML2/Redirect/SSO"/>  

* Log Out URL:  https://idp.ccsf.edu/idp/profile/Logout   

...

        This is the Location value from the following entry in your IdP's metadata:
        <!-- Not actually a SAMLv2 Logout endpoint, but it is where we want SPs to send the user -->
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ccsf.edu/idp/profile/Logout"/>

* Certificate fingerprint:  A6:DD:7A:D5:8E:83:D8:51:6C:EC:72:F4:EF:B5:F0:0F:5C:6B:66:FC

...

   A6:DD:7A:D5:8E:83:D8:51:6C:EC:72:F4:EF:B5:F0:0F:5C:6B:66:FC

* Login attribute: eduPersonPrincipalName
  There is a dropdown with multiple choices, You want to choose 'eduPersonPrincipalName'. That has to match what you fill into the LOGIN_ID in the Canvas provisioning feed.
  * Identifier Format:  urn:oasis:names:tc:SAML:2.0:nameid-format:transient

(choose the above value from the drop-down and Save your changes. The drop-down should have the following set of choices:

Image RemovedImage AddedImage Added

* You can leave the rest of the fields empty/whatever is the default value, except maybe for Position. That applies if you are going to allow multiple ways of logging in, which you won't once you convert. If you only have one form of Authn configured, then Position doesn't matter. Otherwise, you probably want SAML listed first, so you'd set Position to '1' in the drop-down:
These are all the fields you'll see that the above applies to:

...