The following is an example using the configuration values that were filled in for CCSF's integration with Canvas. This document illustrates configuring your Canvas site to go straight to your college/district IdP. The updates below will route your college/district IdP through the CCC IdP Proxy instead. The To do that, the following values will need to be updated in order to implement this change:
- IdP entityID: this will change to the Proxy IdP proxy entityID
- Log On URL: this will change to a URL that goes to the IdP Proxy the proxy SSO endpoint, and with a ?source= query argument identifying the college/district IdP to route to
- Certificate fingerprint: this will become the certificate fingerprint of the IdP Proxy proxy signing certificate
- Note: the Logout URL, if you want the user logged out of your IdP after logging out of Canvas, will be same as below. The IdP Proxy proxy will not keep a session, so you will need to configure Canvas to send the user to your IdP's Logout endpoint.
...
There is a drop down with multiple choices, You want to choose one of the two 'eduPersonPrincipalName' choices. That has to match what you fill into the LOGIN_ID in the Canvas provisioning feed. Do NOT choose "NameID".
* Identifier Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Choose the above value from the drop-down and Save your changes. The drop-down should have the following set of choices:
...