Versions Compared

Old Version 3

changes.mady.by.user Michael Grady

Saved on

compared with

New Version Current

changes.mady.by.user Chris Franz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 The following is an example using the configuration values that were filled in for CCSF's integration with Canvas. This document illustrates configuring your Canvas site to go straight to your college/district IdP. The updates below will route your college/district IdP through the CCC IdP Proxy instead. The following values will need to be updated in order to implement this change:

  • IdP entityID:  this will change to the Proxy IdP entityID
  • Log On URL: this will change to a URL that goes to the IdP Proxy SSO endpoint, and with a ?source= query argument identifying the college/district IdP to route to
  • Certificate fingerprint: this will become the certificate fingerprint of the IdP Proxy signing certificate
  • Note: the Logout URL, if you want the user logged out of your IdP after logging out of Canvas, will be same as below. The IdP Proxy will not keep a session, so you will need to configure Canvas to send the user to your IdP's Logout endpoint.


Each college using Canvas has one or two people who have been established as the "Canvas Administrators" for that college. The person(s) in that role have has access to their Canvas site with "administrative privileges", including being able to configure how authentication is done for their Canvas site. That is the person who has access to "turn on" SAML authentication for the college site, and fill in the needed info for that to work.Note that Canvas recommends you do this first This individual will need to make the changes outlined in this document. 

Canvas recommends that you first implement the changes on your Test/Beta site , get and ensure it is working correctly there , and only then configure prior to configuring it on your Production site. But Please be aware thta that every couple of few weeks, Instructure repalces replaces your Test/Beta site config with your Production config, so you might have to repeat configuring the below multiple times if it takes you too long longer to complete your verification testing.

This document tells you how to navigate to the page that has the SAM SAML config options on it:

      https://community.canvaslms.com/docs/DOC-4284

But the basic thing is to click Step 1- Click on "Authentication" in the left-hand pane of this screen: 

Image Added   


Image Removed   And then Then click on SAML in the right-hand side of the subsequent screen: Image Removed 

Image AddedImage Added


That will bring you to the main "SAML configuration form", and here is a guide to what to fill in for each of the form fields.

 

. The following information should be placed in the fields: 


* IdP entityID:  
Pilothttps://sso.pilot.cccmypath.org/simplesaml/saml2/idp.ccsf.edu/metadata.php
Prod: https://sso.cccmypath.org/simplesaml/saml2/idp/shibbolethmetadata.php
    NotesNote: this is the value of the 'idp.entityID=' property in the IdP's conf/idp.properties file . And and in your IdP's metadata.

* Log On URL:  
Pilothttps://idpsso.pilot.ccsf.edu/idp/profile/SAML2/Redirect/SSO   Notescccmypath.org/simplesaml/saml2/idp/SSOService.php?source=MISnnn
Prod:  https://sso.cccmypath.org/simplesaml/saml2/idp/SSOService.php?source=MISnnn
   Note: this is the Location value from the following entry in your IdP's metadata:
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ccsf.edu/idp/profile/SAML2/Redirect/SSO"/>  

* Log Out URL:  https://idp.ccsf.edu/idp/profile/Logout        (Example- please use your colleges version)
   Notes Note: Only enter this if you want the user logged out of your IdP after logging out of Canvas.
        This is the Location value from the following entry in your IdP's metadata:
        <!-- Not actually a SAMLv2 Logout endpoint, but it is where we want SPs to send the user -->
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ccsf.edu/idp/profile/Logout"/>
* Pilot Certificate fingerprint:  A6 FB:DD97:7A39:D54D:8E14:8317:D812:515A:6CF5:ECA3:72DF:F480:EF98:B5CB:F074:0FF6:5C85:6B81:66D5:FC
    Notes: Most services allow you to enter the entire "signing cert", but Canvas just wants what is called the "fingerprint" from that. Fiirst, you need to find your signing cert by looking at the value of the 'idp.signing.cert=' in your IdP's conf/idp.properties file. For CCSF that is:  idp.signing.cert= %{idp.home}/credentials/idp.crt.  If you are on a Linux system that has the 'openssl' command, you can get the fingerprint by using the following command:  
    openssl x509 -noout -fingerprint -in idp.crt
    which will give you something like: SHA1 Fingerprint=A6:DD:7A:D5:8E:83:D8:51:6C:EC:72:F4:EF:B5:F0:0F:5C:6B:66:FC
   Perhaps an easier alternative that works no matter what is to visit the following website:
       https://www.samltool.com/fingerprint.php
   Copy and paste the contents of credentials/idp.crt into the X509 cert field, leave the algorithm as SHA1, and press the "Calculate Fingerprint" button. That should give you something like the following in the "Formatted Fingerprint" field. That is what you then copy and paste into that "Certificate Fingerprint"  field on the Canvas SAML config page:
   A6:DD:7A:D5:8E:83:D8:51:6C:EC:72:F4:EF:B5:F0:0F:5C:6B:66:FC
* Login attribute: eduPersonPrincipalName  There is a dropdown A8

* Prod Certificate fingerprint: 02:B1:F7:19:22:4E:FE:1E:FF:46:E1:B5:BA:55:E8:14:10:5C:4D:59
  

* Login attribute: eduPersonPrincipalName

                 Or eduPersonPrincipalName (domain stripped) if you don't include the @campus.edu on the identifier you send to Canvas in the provisioning feed.


    There is a drop down with multiple choices, You want to choose one of the two 'eduPersonPrincipalName' choices. That has to match what you fill into the LOGIN_ID in the Canvas provisioning feed. Do NOT choose "NameID".Image Removed

 
  * Identifier Format:  urn:oasis:names:tc:SAML:2.0:nameid-format:transient

(choose Choose the above value from the drop-down and Save your changes. The drop-down should have the following set of choices:

Image Added
Image Removed
* You can leave the rest of the fields empty/whatever is the default value, except maybe for Position. That applies if you are going to allow multiple ways of logging in, which you won't once you convert. If you only have one form of Authn configured, then Position doesn't matter. Otherwise, you probably want SAML listed first, so you'd set Position to '1' in the drop-down:
Image Removed
These are all the fields you'll see that the above applies to:
Image Removed

Testing


  Start at your equivalent of
Image Added

Image Added

Testing

Testing should occur on the Test/Beta site that has been established for your college. An example of a test url ishttps://ccsf.test.instructure.com/login/saml    You will need to replace the correct values associated to your college test site in order to successfully test the changes.