Canvas Integration Examples

Aterea Brown atbrown at aut.ac.nz
Mon May 20 17:24:42 EDT 2019 

Are you using SSO tracer or some other saml capture plugin in your browser?  You can check the nameid that has been generated.  I think you can also increase the logging for
   <variable name="idp.loglevel.messages" value="DEBUG" />
    <variable name="idp.loglevel.encryption" value="DEBUG" />
 to see the SAML messages in your log file.

Also bear in mind from https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration

Format Selection

For any given request, the ordered list of Formats to try to generate is based on combining the SP's request (SAML 2 requests can include a <NameIDPolicy> element that requires a particular Format), the <NameIDFormat> element(s) in the SP's metadata, and the nameIDFormatPrecedence profile configuration<https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration> property, if set for the chosen relying party configuration. If the metadata contains nothing, or contains the "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" value, then the metadata is ignored.

If a <NameIDPolicy> element with Format is supplied, a suitable identifier MUST be generated or an error will be returned.

Otherwise the formats specified in an SP's metadata are filtered against a nameIDFormatPrecedence profile configuration<https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration> property, if set, and the resulting set of Formats is tried in order. That is, the first Format in the profile configuration that is also in the metadata and that results in a valid result will be used.

Default Formats for each SAML version are set via saml-nameid.properties and are used in the event that nothing else is called for. You should not alter that setting in most cases.

So you should check whats being returned for nameid.  It might not be what you expect.


-art


________________________________
From: users <users-bounces at shibboleth.net> on behalf of Jeremiah Brock <jbrock at everettcc.edu>
Sent: Tuesday, 21 May 2019 8:18 AM
To: users at shibboleth.net
Subject: Canvas Integration Examples

Good afternoon,

    I am trying to setup the Canvas SAML authentication using our Shibboleth v3 IDP instance and am having a heck of a time finding any recent documentation.

    I believe that Canvas ONLY supports the NameID or eduPersonPrincipalName for the Login Attribute.  So I am attempting to use the NameID that I source on the fly from our sid attribute in the saml-nameid.xml .

    With the current configs (which I will have available below) I am directed to our IDP from Canvas to authenticate and after successful authentication, I am redirected to canvas and receive an error message "There was a problem logging into Everett Community College".


    metadata-providers.xml

<MetadataProvider id="CanvasMetadata"
                 xsi:type="FileBackedHTTPMetadataProvider"
                 backingFile="/opt/shibboleth-idp/metadata/canvas-metadata.xml"
                 metadataURL="https://everettcc.instructure.com/saml2"/>


    attribute-resolver.xml

<AttributeDefinition xsi:type="Simple" id="sid" sourceAttributeID="employeenumber">
    <Dependency ref="389DSLDAP" />
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sid" encodeType="false" />
</AttributeDefinition>


    attribute-filter.xml

<!-- For Canvas Testing -->
    <AttributeFilterPolicy id="InstructureCanvasPolicy">
        <PolicyRequirementRule xsi:type="Requester" value="http://everettcc.instructure.com/saml2"/>

        <AttributeRule attributeID="NameID">
            <PermitValueRule xsi:type="ANY"/>
        </AttributeRule>

        <AttributeRule attributeID="sid">
            <PermitValueRule xsi:type="ANY"/>
        </AttributeRule>

    </AttributeFilterPolicy>


    saml-nameid.xml

<!-- NEW WAY PER SP!!!! JB 20190520 -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
    p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    p:attributeSourceIds="#{ {'sid'} }">

    <property name="activationCondition">
        <bean parent="shibboleth.Conditions.RelyingPartyId"
            c:candidate="http://everettcc.instructure.com/saml2" />
    </property>
</bean>


    relying-party.xml

<!-- Canvas-->
<bean parent="RelyingPartyByName" c:relyingPartyIds="http://everettcc.instructure.com/saml2">
   <property name="profileConfigurations">
 <list>
 <bean parent="Shibboleth.SSO" />
 <bean parent="SAML2.SSO"
p:encryptAssertions="false"
p:signAssertions="false"
p:encryptNameIDs="false"
p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'}}" />
<ref bean="SAML2.Logout" />
</list>
   </property>
</bean>


    Here is what I see in the idp-process.log after a successful authentication, the population of NameID with the sid attribute and the release of the sid (but not the NameID?).

2019-05-20 12:57:07,018 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154] - Beginning to encode attribute sid
2019-05-20 12:57:07,018 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.SAMLEncoderSupport:73] - Encoding value 123456789 of attribute sid
2019-05-20 12:57:07,019 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:191] - Completed encoding 1 values for attribute sid
2019-05-20 12:57:07,019 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:116] - Profile Action AddAttributeStatementToAssertion: Adding constructed AttributeStatement to Assertion _2aa1a4c562370d0af02cbf0adce804ac
2019-05-20 12:57:07,023 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:124] - Configuration specifies the following formats: [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified]
2019-05-20 12:57:07,023 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:141] - Metadata did not specify any formats, relying on configuration alone
2019-05-20 12:57:07,024 - DEBUG [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:197] - Checking for source attribute sid
2019-05-20 12:57:07,024 - DEBUG [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:216] - Generating NameID from String-valued attribute sid
2019-05-20 12:57:07,041 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:592] - Found Assertion with AuthnStatement to decorate in outbound Response
2019-05-20 12:57:07,041 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:290] - Issuance of delegated was not indicated, skipping assertion decoration
2019-05-20 12:57:07,062 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:179] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.messaging.handler.impl.BasicMessageHandlerChain' on OUTBOUND message context
2019-05-20 12:57:07,062 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.ResponseImpl'
2019-05-20 12:57:07,068 - DEBUG [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100] - Looking up message encoder based on binding URI: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2019-05-20 12:57:07,072 - DEBUG [net.shibboleth.idp.profile.impl.RecordResponseComplete:89] - Profile Action RecordResponseComplete: Record response complete
2019-05-20 12:57:07,073 - INFO [Shibboleth-Audit.SSO:275] - 20190520T195707Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_bd08fcee-9195-4093-b01d-428224c54864|http://everettcc.instructure.com/saml2|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp-389ds-test.everettcc.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_2dfbb1143bb975720f03d1582c5960c7|jbrock|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|sid|123456789|_2aa1a4c562370d0af02cbf0adce804ac|


    In the Canvas SAML options I have the following :

Login Attribute : NameID
Identifier Format : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Authentication Context : No value
Message Signing : Not Signed




    Thanks for any advise or working examples.

~Jeremy
--
Jeremiah Brock
IT Web, Data and Development Services / Information Security
425-259-8707
jbrock at everettcc.edu<mailto:jbrock at everettcc.edu>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190520/2c587b0c/attachment.html>

More information about the users mailing list