Canvas Integration Examples

Jeremiah Brock jbrock at everettcc.edu
Mon May 20 16:18:12 EDT 2019 

Good afternoon,

    I am trying to setup the Canvas SAML authentication using our
Shibboleth v3 IDP instance and am having a heck of a time finding any
recent documentation.

    I believe that Canvas ONLY supports the NameID
or eduPersonPrincipalName for the Login Attribute.  So I am attempting to
use the NameID that I source on the fly from our sid attribute in the
saml-nameid.xml .

    With the current configs (which I will have available below) I am
directed to our IDP from Canvas to authenticate and after successful
authentication, I am redirected to canvas and receive an error message
"There was a problem logging into Everett Community College".


*    metadata-providers.xml*

<MetadataProvider id="CanvasMetadata"
                 xsi:type="FileBackedHTTPMetadataProvider"

 backingFile="/opt/shibboleth-idp/metadata/canvas-metadata.xml"
                 metadataURL="https://everettcc.instructure.com/saml2"/>



*    attribute-resolver.xml*

<AttributeDefinition xsi:type="Simple" id="sid"
sourceAttributeID="employeenumber">
    <Dependency ref="389DSLDAP" />
    <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:uid" encodeType="false" />
    <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sid"
encodeType="false" />
</AttributeDefinition>



*    attribute-filter.xml*


<!-- For Canvas Testing -->
    <AttributeFilterPolicy id="InstructureCanvasPolicy">
        <PolicyRequirementRule xsi:type="Requester" value="
http://everettcc.instructure.com/saml2"/>

        <AttributeRule attributeID="NameID">
            <PermitValueRule xsi:type="ANY"/>
        </AttributeRule>

        <AttributeRule attributeID="sid">
            <PermitValueRule xsi:type="ANY"/>
        </AttributeRule>

    </AttributeFilterPolicy>


*    saml-nameid.xml*

<!-- NEW WAY PER SP!!!! JB 20190520 -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
    p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    p:attributeSourceIds="#{ {'sid'} }">

    <property name="activationCondition">
        <bean parent="shibboleth.Conditions.RelyingPartyId"
            c:candidate="http://everettcc.instructure.com/saml2" />
    </property>
</bean>


    *relying-party.xml*

<!-- Canvas-->
<bean parent="RelyingPartyByName" c:relyingPartyIds="
http://everettcc.instructure.com/saml2">
   <property name="profileConfigurations">
 <list>
 <bean parent="Shibboleth.SSO" />
 <bean parent="SAML2.SSO"
p:encryptAssertions="false"
p:signAssertions="false"
p:encryptNameIDs="false"
p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'}}"
/>
<ref bean="SAML2.Logout" />
</list>
   </property>
</bean>



    Here is what I see in the *idp-process.log* after a successful
authentication, the population of NameID with the sid attribute and the
release of the sid (but not the NameID?).

2019-05-20 12:57:07,018 - DEBUG
[net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154]
- Beginning to encode attribute sid
2019-05-20 12:57:07,018 - DEBUG
[net.shibboleth.idp.saml.attribute.encoding.SAMLEncoderSupport:73] -
Encoding value 123456789 of attribute sid
2019-05-20 12:57:07,019 - DEBUG
[net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:191]
- Completed encoding 1 values for attribute sid
2019-05-20 12:57:07,019 - DEBUG
[net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:116]
- Profile Action AddAttributeStatementToAssertion: Adding constructed
AttributeStatement to Assertion _2aa1a4c562370d0af02cbf0adce804ac
2019-05-20 12:57:07,023 - DEBUG
[net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:124]
- Configuration specifies the following formats:
[urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified]
2019-05-20 12:57:07,023 - DEBUG
[net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:141]
- Metadata did not specify any formats, relying on configuration alone
2019-05-20 12:57:07,024 - DEBUG
[net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:197]
- *Checking for source attribute sid*
2019-05-20 12:57:07,024 - DEBUG
[net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:216]
- *Generating NameID from String-valued attribute sid*
2019-05-20 12:57:07,041 - DEBUG
[net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:592]
- Found Assertion with AuthnStatement to decorate in outbound Response
2019-05-20 12:57:07,041 - DEBUG
[net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:290]
- Issuance of delegated was not indicated, skipping assertion decoration
2019-05-20 12:57:07,062 - DEBUG
[net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:179] -
Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of
type 'org.opensaml.messaging.handler.impl.BasicMessageHandlerChain' on
OUTBOUND message context
2019-05-20 12:57:07,062 - DEBUG
[net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] -
Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on
message context containing a message of type
'org.opensaml.saml.saml2.core.impl.ResponseImpl'
2019-05-20 12:57:07,068 - DEBUG
[net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100]
- Looking up message encoder based on binding URI:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2019-05-20 12:57:07,072 - DEBUG
[net.shibboleth.idp.profile.impl.RecordResponseComplete:89] - Profile
Action RecordResponseComplete: Record response complete
2019-05-20 12:57:07,073 - INFO [Shibboleth-Audit.SSO:275] -
20190520T195707Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_bd08fcee-9195-4093-b01d-428224c54864|
http://everettcc.instructure.com/saml2|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp-389ds-test.everettcc.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_2dfbb1143bb975720f03d1582c5960c7|jbrock|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|sid|123456789|_2aa1a4c562370d0af02cbf0adce804ac|



    In the Canvas SAML options I have the following :

Login Attribute : NameID

Identifier Format : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Authentication Context : No value

Message Signing : Not Signed




    Thanks for any advise or working examples.

~Jeremy
-- 
Jeremiah Brock
IT Web, Data and Development Services / Information Security
425-259-8707
jbrock at everettcc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190520/cc294deb/attachment.html>

More information about the users mailing list