The fusionSpan Blog

Canvas LMS Third Party Authentication with SAML

By Jason Cookman |March 12, 2014

We are using Canvas LMS but want to use our own existing authentication, so our users don’t need a second set of credentials to login to Canvas. I struggled a little bit with this so thought of posting this for reference. To get Canvas LMS working with third party authentication, you really have two options

Host canvas LMS yourself and just plug-in a custom authentication module. Canvas is an open source LMS solution so this should work just fine.
Setup a SAML identity provider (idp) and setup your account in Canvas with SAML authentication

We chose option #2 because we were using a hosted version of Canvas. There is some documentation here on setting up various authentication profiles in Canvas.

We used SimpleSaml as our SAML Identity Provider. SimpleSaml is very easy to setup and comes pre-packaged with multiple authentication providers (local text based basic authentication, OpenId etc.). Our plan was to write a custom authentication provider within SimpleSaml which would leverage our own custom username/password database.

To set all this up just do the following.

1. Canvas for Saml authentication. If you are testing with a local deployment of Canvas, edit config/saml.yml and add the following

development:
entity_id: "http://localhost:3000/saml2"
tech_contact_name: "Administrator"
tech_contact_email: ""
encryption: xmlsec_binary: /usr/local/bin/xmlsec1
private_key: /Applications/XAMPP/simplesamlphp/cert/server.pem
certificate: /Applications/XAMPP/simplesamlphp/cert/server.crt

Configure you Canvas account (super user account under which all others users are created) to use SAML authentication. Here is a screenshot of our configuration

Install SimpleSaml and enable SAML authentication by editing simplesaml/config/config.php and declaring

'enable.saml20-idp'  = true,

Edit simplesaml/config/authsources by setting up an appropriate authentication source. For testing we just used a in-memory Map of username-passwords as follows

'example-userpass' = array(
'exampleauth:UserPass',
':test' = array(
'uid' = array(''),
'email' = '',
'eduPersonAffiliation' = array('member', 'student'),
),
),

Edit simplesaml/metadata/saml20-sp-remote.php and set Canvas as a remote Service Provider (Canvas deploys the SAML service provider by default)

$metadata['http://localhost:3000/saml2'] = array('AssertionConsumerService' =
'http://localhost:3000/saml_consume',
'SingleLogoutService' ='http://localhost:3000/saml_logout',
'NameIDFormat' = urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' = 'email', 'simplesaml.attributes'=FALSE,
);

I used the certificates that came with SimpleSaml. Just calculate the MD5 fingerprint of the certificate and use it to configure canvas (step #1). This establishes “trust” between Canvas and SimpleSaml

That should be it. Now when you try and go to the Canvas homepage at http://localhost:3000, it will forward you to the following Screen

Once you login here (using the credentials in the example-userpass authentication provider),

you should be logged in to Canvas automatically. Remember the test user () should already exist in Canvas and have a login id of .

I will post a follow up on creating a custom authentication provider in SimpleSaml….stay tuned

Jason Cookman

Jason is a Senior Salesforce Architect and has been with fusionSpan since June 2014.He has multiple Salesforce Certifications and has led the solution architecture on dozens of Salesforce implementations. In addition he has created apps on a variety of platforms and frameworks including MuleSoft, Spring Boot, AngularJs and Drupal. He has been coding in Java, php and JavaScript for more than eight years and has over six years of experience developing on the Salesforce Platform in Apex, Visualforce and Lightning. He is a graduate of the University of Maryland with a double bachelor degree in Computer Science and Accounting. Jason's favorite foods are ramen, ramen and more ramen.