DRAFT: The following is an example using the configuration values that were filled in for CCSF's integration with Canvas. And this document currently illustrates configuring your Canvas site to go straight to your college/district IdP. We'll be updating this document to instead illustrate going to your college/district IdP throught the CCC IdP Proxy instead. That will change the:
...
* Certificate fingerprint: A6:DD:7A:D5:8E:83:D8:51:6C:EC:72:F4:EF:B5:F0:0F:5C:6B:66:FC
Notes: Most services allow you to enter the entire "signing cert", but Canvas just wants what is called the "fingerprint" from that. Fiirst, you need to find your signing cert by looking at the value of the 'idp.signing.cert=' in your IdP's conf/idp.properties file. For CCSF that is: idp.signing.cert= %{idp.home}/credentials/idp.crt. If you are on a Linux system that has the 'openssl' command, you can get the fingerprint by using the following command:
openssl x509 -noout -fingerprint -in idp.crt
which will give you something like: SHA1 Fingerprint=A6:DD:7A:D5:8E:83:D8:51:6C:EC:72:F4:EF:B5:F0:0F:5C:6B:66:FC
Perhaps an easier alternative that works no matter what is to visit the following website:
Copy and paste the contents of credentials/idp.crt into the X509 cert field, leave the algorithm as SHA1, and press the "Calculate Fingerprint" button. That should give you something like the following in the "Formatted Fingerprint" field. That is what you then copy and paste into that "Certificate Fingerprint" field on the Canvas SAML config page:
A6:DD:7A:D5:8E:83:D8:51:6C:EC:72:F4:EF:B5:F0:0F:5C:6B:66:FC
* Login attribute: eduPersonPrincipalName
There is a dropdown with multiple choices, You want to choose 'eduPersonPrincipalName'. That has to match what you fill into the LOGIN_ID in the Canvas provisioning feed.
* Identifier Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
(choose the above value from the drop-down and Save your changes. The drop-down should have the following set of choices:
...