1150 18th St. NW, Ste 450, Washington DC 20036
202-330-0649
301-747-3025

Canvas LMS Third Party Authentication with SAML

 

We are using Canvas LMS but want to use our own existing authentication, so our users don’t need a second set of credentials to login to Canvas. I struggled a little bit with this so thought of posting this for reference. To get Canvas LMS working with third party authentication, you really have two options

  1. Host canvas LMS yourself and just plug-in a custom authentication module. Canvas is an open source LMS solution so this should work just fine.
  2. Setup a SAML identity provider (idp) and setup your account in Canvas with SAML authentication

We chose option #2 because we were using a hosted version of Canvas. There is some documentation here on setting up various authentication profiles in Canvas.

We used SimpleSaml as our SAML Identity Provider. SimpleSaml is very easy to setup and comes pre-packaged with multiple authentication providers (local text based basic authentication, OpenId etc.). Our plan was to write a custom authentication provider within SimpleSaml which would leverage our own custom username/password database.

To set all this up just do the following.

    1. Canvas for Saml authentication. If you are testing with a local deployment of Canvas, edit config/saml.yml and add the following

 

development:
entity_id: "http://localhost:3000/saml2"
tech_contact_name: "Administrator"
tech_contact_email: "info@your-domain.com"
encryption: xmlsec_binary: /usr/local/bin/xmlsec1
private_key: /Applications/XAMPP/simplesamlphp/cert/server.pem
certificate: /Applications/XAMPP/simplesamlphp/cert/server.crt
  • Configure you Canvas account (super user account under which all others users are created) to use SAML authentication. Here is a screenshot of our configuration

  • Install SimpleSaml and enable SAML authentication by editing simplesaml/config/config.php and declaring
'enable.saml20-idp'  = true,
  • Edit simplesaml/config/authsources by setting up an appropriate authentication source. For testing we just used a in-memory Map of username-passwords as follows
'example-userpass' = array(
'exampleauth:UserPass',
'testuser@fusionspan.com:test' = array(
'uid' = array('testuser@fusionspan.com'),
'email' = 'testuser@fusionspan.com',
'eduPersonAffiliation' = array('member', 'student'),
),
),
  • Edit simplesaml/metadata/saml20-sp-remote.php and set Canvas as a remote Service Provider (Canvas deploys the SAML service provider by default)
$metadata['http://localhost:3000/saml2'] = array('AssertionConsumerService' =
'http://localhost:3000/saml_consume',
'SingleLogoutService' ='http://localhost:3000/saml_logout',
'NameIDFormat' = urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' = 'email', 'simplesaml.attributes'=FALSE,
);
  • I used the certificates that came with SimpleSaml. Just calculate the MD5 fingerprint of the certificate and use it to configure canvas (step #1). This establishes “trust” between Canvas and SimpleSaml

That should be it. Now when you try and go to the Canvas homepage at http://localhost:3000, it will forward you to the following Screen

Once you login here (using the credentials in the example-userpass authentication provider),

you should be logged in to Canvas automatically. Remember the test user (testuser@fusionspan.com) should already exist in Canvas and have a login id of testuser@fusionspan.com.

I will post a follow up on creating a custom authentication provider in SimpleSaml….stay tuned

The following two tabs change content below.
Manav Kher

Manav Kher

The official gear-head of fusionSpan. Manav has over 14 years of enterprise software development experience. Previously he spent 7 years in various lead development and architect roles at the National Cancer Institute (NCI). Notably, he contributed to the architecture and development of some of the core components of the caBIG infrastructure, for which he received the NCI caBIG Outstanding Achievement Award.
Manav Kher

Latest posts by Manav Kher (see all)

2 comments

Thank you for posting this. It was very helpful and ultimately provided me with a valuable roadmap that helped me integrate SAML into our custom PHP portal built on top of the Zend Framework.

That said, I stumbled in a few areas and figured I’d post an addendum in the comments here that attempt to smooth out some areas that weren’t clear to me.

First, getting to Authentication Settings of Canvas is not intuitive. To get there, hover your mouse over “Courses” in the top navigation and select your institution’s name in the Managed Accounts column.

I found configuring SAML on the canvas side to be the most difficult mainly because the thumbnails included in this blog post are too small to read. To get the values needed for most of the settings, on your simplesamlphp site, toggle to the Federation tab and show the metadata for the hosted idP. Here you’ll find values for the following fields in canvas Authentication settins: IdP Entity ID, Log On URL, Log Out URL, Identifier Format, and Authentication Context. Additional field values you’ll need include: Set Login Attribute to NameID, and “Login Label” to “email”. Lastly, to calculate the Certificate Fingerprint, go to you cert directory and execute the following command: [begin command] openssl x509 -noout -fingerprint -in “server.crt” [end command]

Lastly, if you are authenticating to a custom constructed PHP session, you’ll need to create an authentication module. Read http://simplesamlphp.org/docs/1.5/simplesamlphp-authsource and check out /modules/exampleauth/lib/Auth/Source/External.php for a useful template that should get you rolling in the right direction.

SAML underpins many other services, and can also be used by developers to integrate third–party tools with their own platforms and systems.

Leave a reply