The following is an example using the configuration values that were filled in for CCSF's integration with Canvas. This document illustrates configuring your Canvas site to go straight to your college/district IdP. The updates below will route your college/district IdP through the CCC IdP Proxy instead. The following values will need to be updated in order to implement this change:
...
That will bring you to the main "SAML configuration form". The following information should be placed in the fields:
* IdP entityID:
Note: this is the value of the 'idp.entityID=' property in the IdP's conf/idp.properties file and in your IdP's metadata.
* Log On URL:
* Log On URL:
Note: this is the Location value from the following entry in your IdP's metadata:
...
This is the Location value from the following entry in your IdP's metadata:
<!-- Not actually a SAMLv2 Logout endpoint, but it is where we want SPs to send the user -->
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ccsf.edu/idp/profile/Logout"/>
<!-- Not actually a SAMLv2 Logout endpoint, but it is where we want SPs to send the user -->
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ccsf.edu/idp/profile/Logout"/>
A6:DD:7A:D5:8E:83:D8:51:6C:EC:72:F4:EF:B5:F0:0F:5C:6B:66:FC
...
* Pilot Certificate fingerprint: 02FB:B197:F739:194D:2214:4E17:FE12:1E5A:FFF5:46A3:E1DF:B580:BA98:55CB:E874:14F6:1085:5C81:4DD5:59
...
Notes: Most services allow you to enter the entire "signing cert", but Canvas just wants what is called the "fingerprint" from that. Fiirst, you need to find your signing cert by looking at the value of the 'idp.signing.cert=' in your IdP's conf/idp.properties file. For CCSF that is: idp.signing.cert= %{idp.home}/credentials/idp.crt. If you are on a Linux system that has the 'openssl' command, you can get the fingerprint by using the following command:
openssl x509 -noout -fingerprint -in idp.crt
which will give you something like: SHA1 Fingerprint=A6:DD:7A:D5:8E:83:D8:51:6C:EC:72:F4:EF:B5:F0:0F:5C:6B:66:FC
Likely an easier alternative that works no matter what is to visit the following website:
...
A8
* Prod Certificate fingerprint: 02:B1:F7:19:22:4E:FE:1E:FF:46:E1:B5:BA:55:E8:14:10:5C:4D:59
* Prod Certificate fingerprint: 02:B1:F7:19:22:4E:FE:1E:FF:46:E1:B5:BA:55:E8:14:10:5C:4D:59
* Login attribute: eduPersonPrincipalName
Or eduPersonPrincipalName (domain stripped) if you don't inlcude include the @campus.edu on the identifier you send to Canvas in the provisioning feed.
There is a dropdown drop down with multiple choices, You want to choose one of the two 'eduPersonPrincipalName' choices. That has to match what you fill into the LOGIN_ID in the Canvas provisioning feed. Do NOT choose "NameID".
* Identifier Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Choose the above value from the drop-down and Save your changes. The drop-down should have the following set of choices:
...