Canvas Integration Examples
Jeremiah Brock
jbrock at everettcc.edu
Mon May 20 17:49:41 EDT 2019
Keith could you provide a snippet of what that looks like in the Metadata?
I read about setting that in the metadata from the very antiquated Canvas
guide : https://community.canvaslms.com/docs/DOC-4093 but gave up with all
the syntax issues.
Would you mind sharing a snippet of your relying-parting.xml for canvas?
Maybe I am screwing something up there.
I am running version idp v 3.
~Jeremy
On Mon, May 20, 2019 at 2:40 PM Wessel, Keith <kwessel at illinois.edu> wrote:
> FYI, I’m never a fan of having my IdP dynamically download unsigned
> metadata or metadata for which there isn’t a published certificate against
> which I can validate it. So, we download Canvas’s metadata and store it
> locally. Once it’s in your control, it’s easier to just add the NameID
> format to the metadata, IMHO. Even with that, the activation condition in
> your saml-nameid.xml is unnecessary. The saml source attribute NameID
> generator will use the first attribute in its list that was made available
> via the attribute filter. With that done, you’ve got the choice of setting
> the nameID format via either metadata or the relying party config.
>
>
>
> We set the name ID format in metadata to emailAddress and released eppn
> through the source attribute nameID generator.
>
>
>
> Keith
>
>
>
> Keith
>
>
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Aterea Brown
> *Sent:* Monday, May 20, 2019 4:25 PM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: Canvas Integration Examples
>
>
>
> Are you using SSO tracer or some other saml capture plugin in your
> browser? You can check the nameid that has been generated. I think you
> can also increase the logging for
>
> <variable name="idp.loglevel.messages" value="DEBUG" />
>
> <variable name="idp.loglevel.encryption" value="DEBUG" />
>
> to see the SAML messages in your log file.
>
>
>
> Also bear in mind from
> https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration
>
>
> Format Selection
>
> For any given request, the ordered list of Formats to try to generate is
> based on combining the SP's request (SAML 2 requests can include a
> <NameIDPolicy> element that requires a particular Format), the
> <NameIDFormat> element(s) in the SP's metadata, and the
> nameIDFormatPrecedence profile configuration
> <https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration> property,
> if set for the chosen relying party configuration. If the metadata contains
> nothing, or contains the "
> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" value, then the
> metadata is ignored.
>
> If a <NameIDPolicy> element with Format is supplied, a suitable
> identifier MUST be generated or an error will be returned.
>
> Otherwise the formats specified in an SP's metadata are filtered against a
> nameIDFormatPrecedence profile configuration
> <https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration> property,
> if set, and the resulting set of Formats is tried in order. That is, the
> first Format in the profile configuration that is also in the metadata and
> that results in a valid result will be used.
>
> Default Formats for each SAML version are set via *saml-nameid.properties* and
> are used in the event that nothing else is called for. You should *not* alter
> that setting in most cases.
>
>
>
> So you should check whats being returned for nameid. It might not be what
> you expect.
>
>
>
>
>
> -art
>
>
> ------------------------------
>
> *From:* users <users-bounces at shibboleth.net> on behalf of Jeremiah Brock <
> jbrock at everettcc.edu>
> *Sent:* Tuesday, 21 May 2019 8:18 AM
> *To:* users at shibboleth.net
> *Subject:* Canvas Integration Examples
>
>
>
> Good afternoon,
>
>
>
> I am trying to setup the Canvas SAML authentication using our
> Shibboleth v3 IDP instance and am having a heck of a time finding any
> recent documentation.
>
>
>
> I believe that Canvas ONLY supports the NameID
> or eduPersonPrincipalName for the Login Attribute. So I am attempting to
> use the NameID that I source on the fly from our sid attribute in the
> saml-nameid.xml .
>
>
>
> With the current configs (which I will have available below) I am
> directed to our IDP from Canvas to authenticate and after successful
> authentication, I am redirected to canvas and receive an error message
> "There was a problem logging into Everett Community College".
>
>
>
>
>
> * metadata-providers.xml*
>
>
>
> <MetadataProvider id="CanvasMetadata"
>
> xsi:type="FileBackedHTTPMetadataProvider"
>
>
> backingFile="/opt/shibboleth-idp/metadata/canvas-metadata.xml"
>
> metadataURL="https://everettcc.instructure.com/saml2"/>
>
>
>
>
>
> * attribute-resolver.xml*
>
>
>
> <AttributeDefinition xsi:type="Simple" id="sid"
> sourceAttributeID="employeenumber">
>
> <Dependency ref="389DSLDAP" />
>
> <AttributeEncoder xsi:type="SAML1String"
> name="urn:mace:dir:attribute-def:uid" encodeType="false" />
>
> <AttributeEncoder xsi:type="SAML2String"
> name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sid"
> encodeType="false" />
>
> </AttributeDefinition>
>
>
>
>
>
> * attribute-filter.xml*
>
>
>
> <!-- For Canvas Testing -->
>
> <AttributeFilterPolicy id="InstructureCanvasPolicy">
>
> <PolicyRequirementRule xsi:type="Requester" value="
> http://everettcc.instructure.com/saml2"/>
>
>
>
> <AttributeRule attributeID="NameID">
>
> <PermitValueRule xsi:type="ANY"/>
>
> </AttributeRule>
>
>
>
> <AttributeRule attributeID="sid">
>
> <PermitValueRule xsi:type="ANY"/>
>
> </AttributeRule>
>
>
>
> </AttributeFilterPolicy>
>
>
>
>
>
> * saml-nameid.xml*
>
>
>
> <!-- NEW WAY PER SP!!!! JB 20190520 -->
>
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>
> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>
> p:attributeSourceIds="#{ {'sid'} }">
>
>
>
> <property name="activationCondition">
>
> <bean parent="shibboleth.Conditions.RelyingPartyId"
>
> c:candidate="http://everettcc.instructure.com/saml2" />
>
> </property>
>
> </bean>
>
>
>
>
>
> *relying-party.xml*
>
>
>
> <!-- Canvas-->
>
> <bean parent="RelyingPartyByName" c:relyingPartyIds="
> http://everettcc.instructure.com/saml2">
>
> <property name="profileConfigurations">
>
> <list>
>
> <bean parent="Shibboleth.SSO" />
>
> <bean parent="SAML2.SSO"
>
> p:encryptAssertions="false"
>
> p:signAssertions="false"
>
> p:encryptNameIDs="false"
>
> p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'}}"
> />
>
> <ref bean="SAML2.Logout" />
>
> </list>
>
> </property>
>
> </bean>
>
>
>
>
>
> Here is what I see in the *idp-process.log* after a successful
> authentication, the population of NameID with the sid attribute and the
> release of the sid (but not the NameID?).
>
>
>
> 2019-05-20 12:57:07,018 - DEBUG
> [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154]
> - Beginning to encode attribute sid
>
> 2019-05-20 12:57:07,018 - DEBUG
> [net.shibboleth.idp.saml.attribute.encoding.SAMLEncoderSupport:73] -
> Encoding value 123456789 of attribute sid
>
> 2019-05-20 12:57:07,019 - DEBUG
> [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:191]
> - Completed encoding 1 values for attribute sid
>
> 2019-05-20 12:57:07,019 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:116]
> - Profile Action AddAttributeStatementToAssertion: Adding constructed
> AttributeStatement to Assertion _2aa1a4c562370d0af02cbf0adce804ac
>
> 2019-05-20 12:57:07,023 - DEBUG
> [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:124]
> - Configuration specifies the following formats:
> [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified]
>
> 2019-05-20 12:57:07,023 - DEBUG
> [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:141]
> - Metadata did not specify any formats, relying on configuration alone
>
> 2019-05-20 12:57:07,024 - DEBUG
> [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:197]
> - *Checking for source attribute sid*
>
> 2019-05-20 12:57:07,024 - DEBUG
> [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:216]
> - *Generating NameID from String-valued attribute sid*
>
> 2019-05-20 12:57:07,041 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:592]
> - Found Assertion with AuthnStatement to decorate in outbound Response
>
> 2019-05-20 12:57:07,041 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:290]
> - Issuance of delegated was not indicated, skipping assertion decoration
>
> 2019-05-20 12:57:07,062 - DEBUG
> [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:179] -
> Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of
> type 'org.opensaml.messaging.handler.impl.BasicMessageHandlerChain' on
> OUTBOUND message context
>
> 2019-05-20 12:57:07,062 - DEBUG
> [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] -
> Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on
> message context containing a message of type
> 'org.opensaml.saml.saml2.core.impl.ResponseImpl'
>
> 2019-05-20 12:57:07,068 - DEBUG
> [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100]
> - Looking up message encoder based on binding URI:
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>
> 2019-05-20 12:57:07,072 - DEBUG
> [net.shibboleth.idp.profile.impl.RecordResponseComplete:89] - Profile
> Action RecordResponseComplete: Record response complete
>
> 2019-05-20 12:57:07,073 - INFO [Shibboleth-Audit.SSO:275] -
> 20190520T195707Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_bd08fcee-9195-4093-b01d-428224c54864|
> http://everettcc.instructure.com/saml2|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp-389ds-test.everettcc.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_2dfbb1143bb975720f03d1582c5960c7|jbrock|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|sid|123456789|_2aa1a4c562370d0af02cbf0adce804ac|
> <http://everettcc.instructure.com/saml2%7Chttp:/shibboleth.net/ns/profiles/saml2/sso/browser%7Chttps:/idp-389ds-test.everettcc.edu/idp/shibboleth%7Curn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST%7C_2dfbb1143bb975720f03d1582c5960c7%7Cjbrock%7Curn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport%7Csid%7C123456789%7C_2aa1a4c562370d0af02cbf0adce804ac%7C>
>
>
>
>
>
> In the Canvas SAML options I have the following :
>
>
>
> Login Attribute : NameID
>
> Identifier Format : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>
> Authentication Context : No value
>
> Message Signing : Not Signed
>
>
>
>
>
>
>
>
>
> Thanks for any advise or working examples.
>
>
>
> ~Jeremy
>
> --
>
> Jeremiah Brock
> IT Web, Data and Development Services / Information Security
>
> 425-259-8707
> jbrock at everettcc.edu
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
--
Jeremiah Brock
IT Web, Data and Development Services / Information Security
425-259-8707
jbrock at everettcc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190520/0008de1b/attachment.html>
More information about the users
mailing list