Subscribe to PortalGuard's Quarterly Newsletter for News & Updates on the Latest Release! Click to Subscribe

Configure Canvas with PortalGuard for Single Sign-On

Problem

You want to integrate PortalGuard with the Canvas LMS for Single Sign-On via SAML

Solution

Set up the Relying Party in PortalGuard and Configure Canvas for SAML

How to Integrate with Canvas for SAML SSO

On the PortalGuard Server:

  1. Ensure the pre-requisites for PortalGuard SSO have been completed
    • See this Knowledge Base Article for additional information
  2. Open the Identity Provider Configuration Editor
  3. Under the 'SAML Websites' tab, click the 'Create' button
  4. Give the new Relying Party a Name and Description that make sense for this application (i.e. Canvas LMS or Test Canvas Integration)
  5. Next to Identifiers, click the 'Add' button
  6. For new SAML integrations with Canvas, the Identifier will be set to the Entity ID defined in Canvas.  This typically follows the format:
    • http://SCHOOL.NAME.instructure.com/saml2
      • You will be able to confirm this once you move to the Canvas side.  If you are unsure, just put "canvas" for now and you will update it after.
  7. For the Assertion Consumer URL, use the following format:
    • https://YOUR.CANVAS.URL/saml_consume
      • Your end result should resemble the following:
        • PG Canvas RP - General
  8. Navigate to the 'Identity Claims' tab
  9. Ensure the correct 'Attribute Store' is selected (this value will determine where user information is pulled from during SSO authentication)
  10. Click the 'Create' button to add a new Identity Claim to this Relying Party
  11. For Name, use "EmailAsNameID"
  12. Ensure the 'Send as NameID?' box is checked
  13. For Schema Type, click the 'Predefined Types' and choose the following from the drop-down:
    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      • You will see a matching value on the Canvas side
  14. Leave Value Type set to 'String Field'
  15. Update the 'Field Name' to "mail" (without the quotation marks)
  16. Your end result should resemble the following:
    • PG Canvas RP - Mail Claim
  17. Save this claim
  18. Navigate to the 'IdP-Initiated' tab
    • Display Text - this is the label of the tile that your users will see on the PortalGuard SSO Jump Page
    • Help Text - this is the information that will appear if users hover over the tile but do not click on it.
    • Display Image - Click on 'Choose Image' and then browse to the thumbnail image you would like to display on the PortalGuard SSO Jump Page.  If you have a specific thumbnail that you would like to use, simply paste it into the C:\inetpub\PortalGuard\sso\img\ folder on the PortalGuard server and select it here.  Otherwise, choose 'Default.jpg' for now
  19. Save the configuration
  20. On the main screen of the Identity Provider Configuration Editor click 'Apply to Identity Provider'
  21. Click 'Sync'
  22. Still in the Identity Provider Configuration Editor, click on 'General IdP Settings'
  23. Navigate to the 'Response' tab and copy down the 'Issuer' value for use on the Canvas configuration.
  24. Locate the 'PGIdP.cer' file on the PortalGuard Server
    • This is typically located in the following location:
      • C:\Program Files\PistolStar\PortalGuard
  25. Double-Click the file and Navigate to the 'Details' tab
  26. Scroll down and locate the 'Thumbprint Value'
  27. Copy the series of pairs to your clipboard and paste into a text editor
  28. Canvas requires the thumbprint to be input with the following conditions:
    • Each Pair separated by a colon (i.e. ":")
    • All Upper Case Letters
  29. Simply type out the thumbprint in a new line with all Upper Case letters and separate each pair with a colon. 
  30. Copy the entire string and save to a new text file as 'thumbprint.txt' for later use.

Within the Canvas LMS Configuration

  1. You will need to login to the Canvas Instance as an Administrator
    • Be sure to login to the correct instance (i.e. Production, Test, or Beta)
  2. Click the 'Admin' tile on the right-hand side
  3. Choose 'Authentication'
  4. On the left-hand side, click the dropdown for 'Choose and Authentication' and select 'SAML'
    • Canvas SAML Dropdown
  5. Use the following information to fill in the 'SAML' Authentication settings:
    • IdP Metadata URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/sso/metadata.ashx
    • IdP Entity ID - The 'issuer' value from the PortalGuard Identity Provider Configuration Editor
      • See Steps # 22-23 Above
    • Log On URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/sso/go.ashx
    • Log Out URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/_layouts/PG/signout.aspx
    • Certificate Fingerprint - Taken from the .txt file saved during step # 30 above.
    • Login Attribute - No Change
    • Identifier Format - No Change - should match the 'Schema Type' referenced in step # 13 above.
    • Authentication Context - No change
    • Message Signing - No change
    • Just In Time Provisioning - No change
  6. IMPORTANT: To double check the 'Entity ID' For Canvas, confirm with the information presented at the top of this screen under the 'SAML' header.  You will see the first sentence which reads "The Canvas SAML Entity ID is..." that value should match what you have listed as the 'Identifier' in step # 6 of the 'On the PortalGuard Server' section above
  7. Save these settings.
  8. Scroll down on the new page and double check the information remains unchanged. Oftentimes, the initial 'Save' clears out the 'Log Out URL' value, and you must update that here before testing.
  9. Under the 'SAML' header, the first sentence provides the endpoint URL to use when accessing Canvas via SAML
    • CANVAS SAML Endpoint
  10. Once all settings are verified, test the following authentication scenarios:
    • Starting at the PortalGuard Website
      • Navigate to https://YOUR.PG.URL/sso/default.aspx
      • Login to PortalGuard with an account that can access Canvas
      • Click the 'Canvas' tile to be granted access to Canvas
    • Starting at Canvas
      • Navigate to the SAML Endpoint URL for Canvas (As noted in step #9 above)
      • After being redirected, login to PortalGuard
      • You will be redirected into Canvas after authenticating through PortalGuard
    • NOTE:You can also set SAML to the default method in PortalGuard to initiate SAML directly when hitting your root Canvas URL.  Standard LDAP Authentication can then remain on a separate endpoint URL as a backup if necessary.

REV. 06/2018 | PortalGuard

  • 29
  • 15-Jun-2018
  • 369 Views