The fusionSpan Blog

Canvas LMS Third Party Authentication with SAML

By Manav Kher |March 12, 2014
IntegrationsStrategic Consulting

We are using Canvas LMS but want to use our own existing authentication, so our users don’t need a second set of credentials to login to Canvas. I struggled a little bit with this so thought of posting this for reference. To get Canvas LMS working with third party authentication, you really have two options

  1. Host canvas LMS yourself and just plug-in a custom authentication module. Canvas is an open source LMS solution so this should work just fine.
  2. Setup a SAML identity provider (idp) and setup your account in Canvas with SAML authentication

We chose option #2 because we were using a hosted version of Canvas. There is some documentation here on setting up various authentication profiles in Canvas.

We used SimpleSaml as our SAML Identity Provider. SimpleSaml is very easy to setup and comes pre-packaged with multiple authentication providers (local text based basic authentication, OpenId etc.). Our plan was to write a custom authentication provider within SimpleSaml which would leverage our own custom username/password database.

To set all this up just do the following.

    1. Canvas for Saml authentication. If you are testing with a local deployment of Canvas, edit config/saml.yml and add the following
entity_id: "http://localhost:3000/saml2"
tech_contact_name: "Administrator"
tech_contact_email: ""
encryption: xmlsec_binary: /usr/local/bin/xmlsec1
private_key: /Applications/XAMPP/simplesamlphp/cert/server.pem
certificate: /Applications/XAMPP/simplesamlphp/cert/server.crt
  • Configure you Canvas account (super user account under which all others users are created) to use SAML authentication. Here is a screenshot of our configuration

  • Install SimpleSaml and enable SAML authentication by editing simplesaml/config/config.php and declaring
'enable.saml20-idp'  = true,
  • Edit simplesaml/config/authsources by setting up an appropriate authentication source. For testing we just used a in-memory Map of username-passwords as follows
'example-userpass' = array(
':test' = array(
'uid' = array(''),
'email' = '',
'eduPersonAffiliation' = array('member', 'student'),
  • Edit simplesaml/metadata/saml20-sp-remote.php and set Canvas as a remote Service Provider (Canvas deploys the SAML service provider by default)
$metadata['http://localhost:3000/saml2'] = array('AssertionConsumerService' =
'SingleLogoutService' ='http://localhost:3000/saml_logout',
'NameIDFormat' = urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' = 'email', 'simplesaml.attributes'=FALSE,
  • I used the certificates that came with SimpleSaml. Just calculate the MD5 fingerprint of the certificate and use it to configure canvas (step #1). This establishes “trust” between Canvas and SimpleSaml

That should be it. Now when you try and go to the Canvas homepage at http://localhost:3000, it will forward you to the following Screen

Once you login here (using the credentials in the example-userpass authentication provider),

you should be logged in to Canvas automatically. Remember the test user () should already exist in Canvas and have a login id of .

I will post a follow up on creating a custom authentication provider in SimpleSaml….stay tuned

Manav Kher

The official gear-head of fusionSpan. Manav has over 14 years of enterprise software development experience. Previously he spent 7 years in various lead development and architect roles at the National Cancer Institute (NCI). Notably, he contributed to the architecture and development of some of the core components of the caBIG infrastructure, for which he received the NCI caBIG Outstanding Achievement Award.

More posts