DRAFT: The following is an example using the configuration values that were filled in for CCSF's integration with Canvas. And this document currently illustrates configuring your Canvas site to go straight to your college/district IdP. We'll be updating this document to instead illustrate going to your college/district IdP through the CCC IdP Proxy instead. The following values will need to be updated:
- IdP entityID: this will change to the Proxy IdP entityID
- Log On URL: this will change to a URL that goes to the IdP Proxy SSO endpoint, and with a ?source= query argument identifying the college/district IdP to then go to
- Certificate fingerprint: this will become the certificate fingerprint of the IdP Proxy signing certificate
- Note: the Logout URL, if you want the user logged out of your IdP after logging out of Canvas, will be same as below. The IdP Proxy will not keep a session, so you just have Canvas send the user to your IdP's Logout endpoint.
Each college using Canvas has one or two people who have been established as "Canvas Administrators" for that college. The person(s) in that role has access to their Canvas site with "administrative privileges", including being able to configure how authentication is done for their Canvas site. This individual will need to make the changes outlined in this document.
Canvas recommends that you first implement the changes on your Test/Beta site and ensure it is working correctly there prior to configuring it on your Production site. Please be aware that every few weeks, Instructure replaces your Test/Beta site config with your Production config, so you might have to repeat configuring the below multiple times if it takes longer to complete your verification testing.
This document tells you how to navigate to the page that has the SAM config options on it:
https://community.canvaslms.com/docs/DOC-4284
Step 1- Click on "Authentication" in the left-hand pane of this screen:
Then click on SAML in the right-hand side of the subsequent screen:
That will bring you to the main "SAML configuration form". The following information should be placed in the fields:
* Log On URL: https://idp.ccsf.edu/idp/profile/SAML2/Redirect/SSO
* Log Out URL: https://idp.ccsf.edu/idp/profile/Logout
<!-- Not actually a SAMLv2 Logout endpoint, but it is where we want SPs to send the user -->
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ccsf.edu/idp/profile/Logout"/>
* Certificate fingerprint: A6:DD:7A:D5:8E:83:D8:51:6C:EC:72:F4:EF:B5:F0:0F:5C:6B:66:FC
* Login attribute: eduPersonPrincipalName
Or eduPersonPrincipalName (domain stripped) if you don't inlcude the @campus.edu on the identifier you send to Canvas in the provisioning feed.
Testing
Start at your equivalent of: https://ccsf.test.instructure.com/login/saml