| Note |
|---|
These instructions are for colleges that are NOT already using Canvas in production with students. These steps guide the college to make the necessary configurations to their IdP to access Canvas through the SSO proxy GW (in both pilot and production environments). Colleges that are integrated directly with Canvas (around the proxySSO GW), should contact Matt Schroeder, Systems Admin, mschroeder@ccctechcenter.org for assistance getting integrated with the proxySSO GW. |
Setting up your college IdP to access Canvas through the SSO
ProxyGW
This document illustrates configuring your Canvas to route your college/district IdP through the SSO proxyGW. To do that, the following values will need to be updated in order to implement this change:
- IdP entityID: this will change to the proxy SSO GW IdP-side entityID
- Log On URL: this will change to a URL that goes to the proxy the SSO GW SSO endpoint, and with a ?source= query argument identifying the college/district IdP to route to
- Certificate fingerprint: this will become the certificate fingerprint of the proxy SSO GW signing certificate
- Note: the Logout URL, if you want the user logged out of your IdP after logging out of Canvas, will be same as below. The proxy SSO GW will not keep a session, so you will need to configure Canvas to send the user to your IdP's Logout endpoint.
Set up requires Canvas Administrator privileges
Each college using Canvas has one or two people who have been established as the "Canvas Administrators" for that college. The person(s) in this role has access to their Canvas site with "administrative privileges", including being able to configure how authentication is done for their Canvas site. This individual will need to make the changes outlined in this document.
Canvas recommends that you first implement these changes in your Test/Beta site and ensure it is working correctly there prior to configuring it in your Production site. Please be aware that every few weeks, Instructure replaces your Test/Beta site config with your Production config, so you might have to repeat configuring the steps below multiple times if it takes longer to complete your verification testing.
| Info |
|---|
This document tells you how to navigate to the page that has the SAML config options on it: |
Make Canvas Administrator configuration steps
Step 1: Click on "Authentication" in the left-hand pane of the Canvas Admin screen. | ||
| ||
Step 2: Click on SAML in the right-hand side of the subsequent screen (Authentication Settings) and then click, Save. | ||
That will bring you to the main "SAML configuration form". | ||
Step 3: Enter the following information in the corresponding fields: | ||
IdP entityID | * IdP entityID: | |
| Log On URL | * Log On URL: Note: Replace 'nnn' in the above URLs with the appropriate 3-digit MIS code for your college/district | |
| Log Out URL | * Log Out URL: Note: Only enter this if you want the user logged out of your IdP after logging out of Canvas.
| |
| Pilot Certificate fingerprint | * Pilot Certificate fingerprint: FB:97:39:4D:14:17:12:5A:F5:A3:DF:80:98:CB:74:F6:85:81:D5:A8 | |
Prod Certificate fingerprint | * Prod Certificate fingerprint: 02:B1:F7:19:22:4E:FE:1E:FF:46:E1:B5:BA:55:E8:14:10:5C:4D:59 | |
| Login attribute | * Login attribute: eduPersonPrincipalName OR eduPersonPrincipalName (domain stripped) if you don't include the @campus.edu on the identifier you send to Canvas in the provisioning feed. Note: There is a drop down with multiple choices. Choose one of the two 'eduPersonPrincipalName' choices. | |
| Identifier Format | * Identifier Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient | |
Choose the above value from the drop-down and Save your changes. The drop-down should have the following set of choices:  | ||
| ||
| Main SAML input form |
| |
Testing configuration changes in the Canvas test (beta) environment
Testing should occur on the Test/Beta site that has been established for your college. An example of a test url is: https://ccsf.test.instructure.com/login/saml You will need to replace the correct values associated to your college test site in order to successfully test the changes.
Start at your equivalent of: https://ccsf.test.instructure.com/login/saml
Test Site: To configure your testing URL, https://[your domain].test.instructure.com/login/saml
Beta Site: To configure your beta test URL: https://[your domain].beta.instructure.com/login/saml
Note: You can test in either your "beta" or "test" environments.
Send metadata to the
proxySSO GW team and test in
ProxySSO GW pilot environment
One the above configuration changes have been made, send the metadata to the Proxy SSO GW team for upload to the Pilot Proxy SSO GW environment.
Test the
proxySSO GW Pilot integration and confirm successful test
| Note |
|---|
Real-Time Testing with the Proxy SSO GW Team Once you've forwarded the configured metadata to the Proxy SSO GW team, a screen-share meeting is the most efficient way to troubleshoot the success of testing and next steps. If not already scheduled, contact Matt Schroeder, Systems Administrator, mschroeder@ccctechcenter.org to schedule a Zoom call and/or for support. |
Next Step: Move on to testing in the Proxy SSO GW Production Environment
Make configuration changes for the
proxySSO GW Production environment and test
Once the you've tested in your Canvas test environment AND the SSO Proxy GW Pilot environment, the configured metadata will be uploaded to the Proxy SSO GW Production environment by the Proxy SSO GW team and you will test and confirm success in that environment.
| Info |
|---|
New Student Workflow through the SSO ProxyGW Once your Canvas > SSO proxy GW integration is complete, the very first time (only) that your students attempt to Login to Canvas they may encounter the OpenCCC Sign-In page, which means the proxy SSO GW cannot locate their information (No CCCID). This will happen for one of two reasons: 1) the student does not have an OpenCCC Account because they applied to your college before your implemented CCCApply; or 2) the college is not passing the student's CCCID with their EPPN in your college IdP. Click here to better understand the purpose of the SSO Proxy GW (to store the student's CCCID in Canvas) and see best practices for streamlining this process for both students and staff. |
Next Step: Work with your CCCTC project team to continue your Canvas implementation and incorporate best practices with students using Canvas.
Contacts
SSO Proxy Project Team
Rodney Hing
Project Manager, Unicon
Chris Franz
Systems Admin, Unicon
Shibboleth Technical Implementations
Shibboleth Service & Upgraderhing@unicon.net
Matt Schroeder
SSO Systems Admin, CCCTC
SSO Support
Shibboleth & IDP Solutions Support
Proxy Integration Support
Product Manager
SSO Proxy Product Manager
SSO Proxy Implementation
InCommon Federation Implementation
OpenCCC Account Integration pdonohue@ccctechcenter.org
CE Product Manager
OEI Product Manager
CCC Course Exchange (CE) Technical Integrationjsills@ccctechcenter.org