Configure Canvas with PortalGuard for Single Sign-On
You want to integrate PortalGuard with the Canvas LMS for Single Sign-On via SAML
Set up the Relying Party in PortalGuard and Configure Canvas for SAML
How to Integrate with Canvas for SAML SSO
On the PortalGuard Server:
- Ensure the pre-requisites for PortalGuard SSO have been completed
Open the Identity Provider Configuration Editor
Under the 'SAML Websites' tab, click the 'Create' button
Give the new Relying Party a Name and Description that make sense for this application (i.e. Canvas LMS or Test Canvas Integration)
Next to Identifiers, click the 'Add' button
For new SAML integrations with Canvas, the Identifier will be set to the Entity ID defined in Canvas. This typically follows the format:
- See this Knowledge Base Article for additional information
For the Assertion Consumer URL, use the following format:
- You will be able to confirm this once you move to the Canvas side. If you are unsure, just put "canvas" for now and you will update it after.
Navigate to the 'Identity Claims' tab
Ensure the correct 'Attribute Store' is selected (this value will determine where user information is pulled from during SSO authentication)
Click the 'Create' button to add a new Identity Claim to this Relying Party
For Name, use "EmailAsNameID"
Ensure the 'Send as NameID?' box is checked
For Schema Type, click the 'Predefined Types' and choose the following from the drop-down:
- Your end result should resemble the following:
Leave Value Type set to 'String Field'
Update the 'Field Name' to "mail" (without the quotation marks)
Your end result should resemble the following:
Save this claim
Navigate to the 'IdP-Initiated' tab
- You will see a matching value on the Canvas side
Save the configuration
On the main screen of the Identity Provider Configuration Editor click 'Apply to Identity Provider'
Still in the Identity Provider Configuration Editor, click on 'General IdP Settings'
Navigate to the 'Response' tab and copy down the 'Issuer' value for use on the Canvas configuration.
Locate the 'PGIdP.cer' file on the PortalGuard Server
- Display Text - this is the label of the tile that your users will see on the PortalGuard SSO Jump Page
- Help Text - this is the information that will appear if users hover over the tile but do not click on it.
- Display Image - Click on 'Choose Image' and then browse to the thumbnail image you would like to display on the PortalGuard SSO Jump Page. If you have a specific thumbnail that you would like to use, simply paste it into the C:\inetpub\PortalGuard\sso\img\ folder on the PortalGuard server and select it here. Otherwise, choose 'Default.jpg' for now
- This is typically located in the following location:
Double-Click the file and Navigate to the 'Details' tab
Scroll down and locate the 'Thumbprint Value'
Copy the series of pairs to your clipboard and paste into a text editor
Canvas requires the thumbprint to be input with the following conditions:
- C:\Program Files\PistolStar\PortalGuard
Simply type out the thumbprint in a new line with all Upper Case letters and separate each pair with a colon.
Copy the entire string and save to a new text file as 'thumbprint.txt' for later use.
- Each Pair separated by a colon (i.e. ":")
- All Upper Case Letters
Within the Canvas LMS Configuration
- You will need to login to the Canvas Instance as an Administrator
Click the 'Admin' tile on the right-hand side
On the left-hand side, click the dropdown for 'Choose and Authentication' and select 'SAML'
Use the following information to fill in the 'SAML' Authentication settings:
- Be sure to login to the correct instance (i.e. Production, Test, or Beta)
IMPORTANT: To double check the 'Entity ID' For Canvas, confirm with the information presented at the top of this screen under the 'SAML' header. You will see the first sentence which reads "The Canvas SAML Entity ID is..." that value should match what you have listed as the 'Identifier' in step # 6 of the 'On the PortalGuard Server' section above
Save these settings.
Scroll down on the new page and double check the information remains unchanged. Oftentimes, the initial 'Save' clears out the 'Log Out URL' value, and you must update that here before testing.
Under the 'SAML' header, the first sentence provides the endpoint URL to use when accessing Canvas via SAML
Once all settings are verified, test the following authentication scenarios:
- IdP Metadata URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/sso/metadata.ashx
- IdP Entity ID - The 'issuer' value from the PortalGuard Identity Provider Configuration Editor
- Log On URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/sso/go.ashx
- Log Out URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/_layouts/PG/signout.aspx
- Certificate Fingerprint - Taken from the .txt file saved during step # 30 above.
- Login Attribute - No Change
- Identifier Format - No Change - should match the 'Schema Type' referenced in step # 13 above.
- Authentication Context - No change
- Message Signing - No change
- Just In Time Provisioning - No change
- Starting at the PortalGuard Website
- Navigate to https://YOUR.PG.URL/sso/default.aspx
- Login to PortalGuard with an account that can access Canvas
- Click the 'Canvas' tile to be granted access to Canvas
- Starting at Canvas
- Navigate to the SAML Endpoint URL for Canvas (As noted in step #9 above)
- After being redirected, login to PortalGuard
- You will be redirected into Canvas after authenticating through PortalGuard
- NOTE:You can also set SAML to the default method in PortalGuard to initiate SAML directly when hitting your root Canvas URL. Standard LDAP Authentication can then remain on a separate endpoint URL as a backup if necessary.
REV. 06/2018 | PortalGuard