Configuring Your IdP to Access Canvas Through the SSO Proxy

Setting up your college IdP to access Canvas through the SSO Proxy

This document illustrates configuring your Canvas to route your college/district IdP through the SSO proxy. To do that, the following values will need to be updated in order to implement this change:

• IdP entityID:  this will change to the proxy entityID
• Log On URL: this will change to a URL that goes to the proxy SSO endpoint, and with a ?source= query argument identifying the college/district IdP to route to
• Certificate fingerprint: this will become the certificate fingerprint of the proxy signing certificate
• Note: the Logout URL, if you want the user logged out of your IdP after logging out of Canvas, will be same as below. The proxy will not keep a session, so you will need to configure Canvas to send the user to your IdP's Logout endpoint.

Set up requires Canvas Administrator privileges

Each college using Canvas has one or two people who have been established as the "Canvas Administrators" for that college. The person(s) in this role has access to their Canvas site with "administrative privileges", including being able to configure how authentication is done for their Canvas site. This individual will need to make the changes outlined in this document. 

Canvas recommends that you first implement these changes in your Test/Beta site and ensure it is working correctly there prior to configuring it in your Production site. Please be aware that every few weeks, Instructure replaces your Test/Beta site config with your Production config, so you might have to repeat configuring the steps below multiple times if it takes longer to complete your verification testing.

Make Canvas Administrator configuration steps

Step 1: Click on "Authentication" in the left-hand pane of the Canvas Admin screen.
Step 2: Click on SAML in the right-hand side of the subsequent screen (Authentication Settings) and then click, Save.
	That will bring you to the main "SAML configuration form".
Step 3: Enter the following information in the corresponding fields:
	IdP entityID	* IdP entityID:   Pilot: https://sso.pilot.cccmypath.org/simplesaml/saml2/idp/metadata.php Prod: https://sso.cccmypath.org/simplesaml/saml2/idp/metadata.php     Note: this is the value of the 'idp.entityID=' property in the IdP's conf/idp.properties file and in your IdP's metadata.
	Log On URL	* Log On URL:   Pilot: https://sso.pilot.cccmypath.org/simplesaml/saml2/idp/SSOService.php?source=MISnnn Prod:  https://sso.cccmypath.org/simplesaml/saml2/idp/SSOService.php?source=MISnnn     Note: Replace 'nnn' in the above URLs with the appropriate 3-digit MIS code for your college/district Note: this is the Location value from the following entry in your IdP's metadata:         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ccsf.edu/idp/profile/SAML2/Redirect/SSO"/>
	Log Out URL	* Log Out URL:  https://idp.ccsf.edu/idp/profile/Logout     (Example- please use your colleges version)     Note: Only enter this if you want the user logged out of your IdP after logging out of Canvas.         This is the Location value from the following entry in your IdP's metadata:         <!-- Not actually a SAMLv2 Logout endpoint, but it is where we want SPs to send the user -->         <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ccsf.edu/idp/profile/Logout"/>
	Pilot Certificate fingerprint	* Pilot Certificate fingerprint: FB:97:39:4D:14:17:12:5A:F5:A3:DF:80:98:CB:74:F6:85:81:D5:A8
	Prod Certificate fingerprint	* Prod Certificate fingerprint: 02:B1:F7:19:22:4E:FE:1E:FF:46:E1:B5:BA:55:E8:14:10:5C:4D:59
	Login attribute	* Login attribute: eduPersonPrincipalName    OR eduPersonPrincipalName (domain stripped) if you don't include the @campus.edu on the identifier you send to Canvas in the provisioning feed. Note: There is a drop down with multiple choices. Choose one of the two 'eduPersonPrincipalName' choices. This choice has to match what you fill into the LOGIN_ID field in the Canvas provisioning feed.  DO NOT CHOOSE: "NameID".
	Identifier Format	* Identifier Format:  urn:oasis:names:tc:SAML:2.0:nameid-format:transient
		Choose the above value from the drop-down and Save your changes. The drop-down should have the following set of choices:
	Main SAML input form

Testing configuration changes in the Canvas test (beta) environment

Testing should occur on the Test/Beta site that has been established for your college. An example of a test url is: https://ccsf.test.instructure.com/login/saml    You will need to replace the correct values associated to your college test site in order to successfully test the changes. 

Start at your equivalent of: https://ccsf.test.instructure.com/login/saml

Test Site:  To configure your testing URL, https://[your domain].test.instructure.com/login/saml

Beta Site: To configure your beta test URL:  https://[your domain].beta.instructure.com/login/saml

Note:  You can test in either your "beta" or "test" environments.  

Send metadata to the proxy team and test in Proxy pilot environment

One the above configuration changes have been made, send the metadata to the Proxy team for upload to the Pilot Proxy environment. 

Test the proxy Pilot integration and confirm successful test

Next Step:  Move on to testing in the Proxy Production Environment

Make configuration changes for the proxy Production environment and test

Once the you've tested in your Canvas test environment AND the SSO Proxy Pilot environment, the configured metadata will be uploaded to the Proxy Production environment by the Proxy team and you will test and confirm success in that environment.

Next Step:  Work with your CCCTC project team to continue your Canvas implementation and incorporate best practices with students using Canvas.  

Contacts

SSO Proxy Project Team