You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

Looking for the Diagnostic Utility?

Click Here For Download and Usage Instructions

Configure Canvas with PortalGuard for Single Sign-On


You want to integrate PortalGuard with the Canvas LMS for Single Sign-On via SAML


Set up the Relying Party in PortalGuard and Configure Canvas for SAML

How to Integrate with Canvas for SAML SSO

On the PortalGuard Server:

  1. Ensure the pre-requisites for PortalGuard SSO have been completed
    • See this Knowledge Base Article for additional information
  2. Open the Identity Provider Configuration Editor
  3. Under the 'SAML Websites' tab, click the 'Create' button
  4. Give the new Relying Party a Name and Description that make sense for this application (i.e. Canvas LMS or Test Canvas Integration)
  5. Next to Identifiers, click the 'Add' button
  6. For new SAML integrations with Canvas, the Identifier will be set to the Entity ID defined in Canvas.  This typically follows the format:
      • You will be able to confirm this once you move to the Canvas side.  If you are unsure, just use the placeholder above for now and you will update it after.
  7. For the Assertion Consumer URL, use the following format:
  8. NOTE: Canvas' TEST and PROD environments use the same Identifier value. Check the 'Use ACS from SAMLRequest?' checkbox to ensure support for both environments from a single PortalGuard server. 
    • Your end result should resemble the following:
  9. Navigate to the 'Identity Claims' tab
  10. Ensure the correct 'Attribute Store' is selected (this value will determine where user information is pulled from during SSO authentication)
  11. Click the 'Create' button to add a new Identity Claim to this Relying Party
  12. For Name, use "EmailAsNameID"
  13. Ensure the 'Send as NameID?' box is checked
  14. For Schema Type, click the 'Predefined Types' and choose the following from the drop-down:
    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      • You will see a matching value on the Canvas side
  15. Leave Value Type set to 'String Field'
  16. Update the 'Field Name' to "mail" (without the quotation marks)
  17. Your end result should resemble the following:
    • PG Canvas RP - Mail Claim
  18. Save this claim
  19. Navigate to the 'IdP-Initiated' tab
    • Display Text - this is the label of the tile that your users will see on the PortalGuard SSO Jump Page
    • Help Text - this is the information that will appear if users hover over the tile but do not click on it.
    • Display Image - Click on 'Choose Image' and then browse to the thumbnail image you would like to display on the PortalGuard SSO Jump Page.  If you have a specific thumbnail that you would like to use, simply paste it into the C:\inetpub\PortalGuard\sso\img\ folder on the PortalGuard server and select it here.  Otherwise, choose 'Default.jpg' for now
  20. Save the configuration
  21. On the main screen of the Identity Provider Configuration Editor click 'Apply to Identity Provider'
  22. Click 'Sync'
  23. Still in the Identity Provider Configuration Editor, click on 'General IdP Settings'
  24. Navigate to the 'Response' tab and copy down the 'Issuer' value for use on the Canvas configuration.
  25. Locate the 'PGIdP.cer' file on the PortalGuard Server
    • This is typically located in the following location:
      • C:\Program Files\PistolStar\PortalGuard
  26. Double-Click the file and Navigate to the 'Details' tab
  27. Scroll down and locate the 'Thumbprint Value'
  28. Copy the series of pairs to your clipboard and paste into a text editor
  29. Canvas requires the thumbprint to be input with the following conditions:
    • Each Pair separated by a colon (i.e. ":")
    • All Upper Case Letters
  30. Simply type out the thumbprint in a new line with all Upper Case letters and separate each pair with a colon. 
  31. Copy the entire string and save to a new text file as 'thumbprint.txt' for later use.

Within the Canvas LMS Configuration

  1. You will need to login to the Canvas Instance as an Administrator
    • Be sure to login to the correct instance (i.e. Production, Test, or Beta)
  2. Click the 'Admin' tile on the right-hand side
  3. Choose 'Authentication'
  4. On the left-hand side, click the dropdown for 'Choose and Authentication' and select 'SAML'
    • Canvas SAML Dropdown
  5. Use the following information to fill in the 'SAML' Authentication settings:
    • IdP Metadata URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/sso/metadata.ashx
    • IdP Entity ID - The 'issuer' value from the PortalGuard Identity Provider Configuration Editor
      • See Steps # 22-23 Above
    • Log On URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/sso/go.ashx
    • Log Out URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/_layouts/PG/signout.aspx
    • Certificate Fingerprint - Taken from the .txt file saved during step # 30 above.
    • Login Attribute - No Change
    • Identifier Format - No Change - should match the 'Schema Type' referenced in step # 13 above.
    • Authentication Context - No change
    • Message Signing - No change
    • Just In Time Provisioning - No change
  6. IMPORTANT: To double check the 'Entity ID' For Canvas, confirm with the information presented at the top of this screen under the 'SAML' header.  You will see the first sentence which reads "The Canvas SAML Entity ID is..." that value should match what you have listed as the 'Identifier' in step # 6 of the 'On the PortalGuard Server' section above
  7. Save these settings.
  8. Scroll down on the new page and double check the information remains unchanged. Oftentimes, the initial 'Save' clears out the 'Log Out URL' value, and you must update that here before testing.
  9. Under the 'SAML' header, the first sentence provides the endpoint URL to use when accessing Canvas via SAML
    • CANVAS SAML Endpoint
  10. Once all settings are verified, test the following authentication scenarios:
    • Starting at the PortalGuard Website
      • Navigate to https://YOUR.PG.URL/sso/default.aspx
      • Login to PortalGuard with an account that can access Canvas
      • Click the 'Canvas' tile to be granted access to Canvas
    • Starting at Canvas
      • Navigate to the SAML Endpoint URL for Canvas (As noted in step #9 above)
      • After being redirected, login to PortalGuard
      • You will be redirected into Canvas after authenticating through PortalGuard
    • NOTE:You can also set SAML to the default method in PortalGuard to initiate SAML directly when hitting your root Canvas URL.  Standard LDAP Authentication can then remain on a separate endpoint URL as a backup if necessary.

REV. 06/2018 | PortalGuard

  • 29
  • 31-Mar-2020