Canvas Integration Examples
Wessel, Keith
kwessel at illinois.edu
Mon May 20 18:03:21 EDT 2019
Jeremy,
Per Scott’s note, it’s good to know that Instructure can publish SP metadata via InCommon, and that would be much preferred. Our instance isn’t published, but I’ll be talking with our campus contact about that first thing tomorrow. If it is and their NameID format ordering in there doesn’t meet with your needs, the relying party override will work, but it’s most likely not necessary. I rarely have to override nameID formats for published entities unless they’re doing something silly.
For the local metadata, you can just add this after the SingleLogout endpoint and before the AssertionConsumingService endpoint, assuming you want to release a NameID format of emailAddress. Looks like you’re using employee numbers, so that might not be the right choice for you:
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
Keith
From: users <users-bounces at shibboleth.net> On Behalf Of Jeremiah Brock
Sent: Monday, May 20, 2019 4:50 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Canvas Integration Examples
Keith could you provide a snippet of what that looks like in the Metadata? I read about setting that in the metadata from the very antiquated Canvas guide : https://community.canvaslms.com/docs/DOC-4093 but gave up with all the syntax issues.
Would you mind sharing a snippet of your relying-parting.xml for canvas? Maybe I am screwing something up there.
I am running version idp v 3.
~Jeremy
On Mon, May 20, 2019 at 2:40 PM Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:
FYI, I’m never a fan of having my IdP dynamically download unsigned metadata or metadata for which there isn’t a published certificate against which I can validate it. So, we download Canvas’s metadata and store it locally. Once it’s in your control, it’s easier to just add the NameID format to the metadata, IMHO. Even with that, the activation condition in your saml-nameid.xml is unnecessary. The saml source attribute NameID generator will use the first attribute in its list that was made available via the attribute filter. With that done, you’ve got the choice of setting the nameID format via either metadata or the relying party config.
We set the name ID format in metadata to emailAddress and released eppn through the source attribute nameID generator.
Keith
Keith
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Aterea Brown
Sent: Monday, May 20, 2019 4:25 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: Canvas Integration Examples
Are you using SSO tracer or some other saml capture plugin in your browser? You can check the nameid that has been generated. I think you can also increase the logging for
<variable name="idp.loglevel.messages" value="DEBUG" />
<variable name="idp.loglevel.encryption" value="DEBUG" />
to see the SAML messages in your log file.
Also bear in mind from https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration
Format Selection
For any given request, the ordered list of Formats to try to generate is based on combining the SP's request (SAML 2 requests can include a <NameIDPolicy> element that requires a particular Format), the <NameIDFormat> element(s) in the SP's metadata, and the nameIDFormatPrecedence profile configuration<https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration> property, if set for the chosen relying party configuration. If the metadata contains nothing, or contains the "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" value, then the metadata is ignored.
If a <NameIDPolicy> element with Format is supplied, a suitable identifier MUST be generated or an error will be returned.
Otherwise the formats specified in an SP's metadata are filtered against a nameIDFormatPrecedence profile configuration<https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration> property, if set, and the resulting set of Formats is tried in order. That is, the first Format in the profile configuration that is also in the metadata and that results in a valid result will be used.
Default Formats for each SAML version are set via saml-nameid.properties and are used in the event that nothing else is called for. You should not alter that setting in most cases.
So you should check whats being returned for nameid. It might not be what you expect.
-art
________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Jeremiah Brock <jbrock at everettcc.edu<mailto:jbrock at everettcc.edu>>
Sent: Tuesday, 21 May 2019 8:18 AM
To: users at shibboleth.net<mailto:users at shibboleth.net>
Subject: Canvas Integration Examples
Good afternoon,
I am trying to setup the Canvas SAML authentication using our Shibboleth v3 IDP instance and am having a heck of a time finding any recent documentation.
I believe that Canvas ONLY supports the NameID or eduPersonPrincipalName for the Login Attribute. So I am attempting to use the NameID that I source on the fly from our sid attribute in the saml-nameid.xml .
With the current configs (which I will have available below) I am directed to our IDP from Canvas to authenticate and after successful authentication, I am redirected to canvas and receive an error message "There was a problem logging into Everett Community College".
metadata-providers.xml
<MetadataProvider id="CanvasMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="/opt/shibboleth-idp/metadata/canvas-metadata.xml"
metadataURL="https://everettcc.instructure.com/saml2"/>
attribute-resolver.xml
<AttributeDefinition xsi:type="Simple" id="sid" sourceAttributeID="employeenumber">
<Dependency ref="389DSLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sid" encodeType="false" />
</AttributeDefinition>
attribute-filter.xml
<!-- For Canvas Testing -->
<AttributeFilterPolicy id="InstructureCanvasPolicy">
<PolicyRequirementRule xsi:type="Requester" value="http://everettcc.instructure.com/saml2"/>
<AttributeRule attributeID="NameID">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="sid">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
</AttributeFilterPolicy>
saml-nameid.xml
<!-- NEW WAY PER SP!!!! JB 20190520 -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
p:attributeSourceIds="#{ {'sid'} }">
<property name="activationCondition">
<bean parent="shibboleth.Conditions.RelyingPartyId"
c:candidate="http://everettcc.instructure.com/saml2" />
</property>
</bean>
relying-party.xml
<!-- Canvas-->
<bean parent="RelyingPartyByName" c:relyingPartyIds="http://everettcc.instructure.com/saml2">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO" />
<bean parent="SAML2.SSO"
p:encryptAssertions="false"
p:signAssertions="false"
p:encryptNameIDs="false"
p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'}}" />
<ref bean="SAML2.Logout" />
</list>
</property>
</bean>
Here is what I see in the idp-process.log after a successful authentication, the population of NameID with the sid attribute and the release of the sid (but not the NameID?).
2019-05-20 12:57:07,018 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154] - Beginning to encode attribute sid
2019-05-20 12:57:07,018 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.SAMLEncoderSupport:73] - Encoding value 123456789 of attribute sid
2019-05-20 12:57:07,019 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:191] - Completed encoding 1 values for attribute sid
2019-05-20 12:57:07,019 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:116] - Profile Action AddAttributeStatementToAssertion: Adding constructed AttributeStatement to Assertion _2aa1a4c562370d0af02cbf0adce804ac
2019-05-20 12:57:07,023 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:124] - Configuration specifies the following formats: [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified]
2019-05-20 12:57:07,023 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:141] - Metadata did not specify any formats, relying on configuration alone
2019-05-20 12:57:07,024 - DEBUG [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:197] - Checking for source attribute sid
2019-05-20 12:57:07,024 - DEBUG [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:216] - Generating NameID from String-valued attribute sid
2019-05-20 12:57:07,041 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:592] - Found Assertion with AuthnStatement to decorate in outbound Response
2019-05-20 12:57:07,041 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:290] - Issuance of delegated was not indicated, skipping assertion decoration
2019-05-20 12:57:07,062 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:179] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.messaging.handler.impl.BasicMessageHandlerChain' on OUTBOUND message context
2019-05-20 12:57:07,062 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.ResponseImpl'
2019-05-20 12:57:07,068 - DEBUG [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100] - Looking up message encoder based on binding URI: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2019-05-20 12:57:07,072 - DEBUG [net.shibboleth.idp.profile.impl.RecordResponseComplete:89] - Profile Action RecordResponseComplete: Record response complete
2019-05-20 12:57:07,073 - INFO [Shibboleth-Audit.SSO:275] - 20190520T195707Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_bd08fcee-9195-4093-b01d-428224c54864|http://everettcc.instructure.com/saml2|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp-389ds-test.everettcc.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_2dfbb1143bb975720f03d1582c5960c7|jbrock|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|sid|123456789|_2aa1a4c562370d0af02cbf0adce804ac|<http://everettcc.instructure.com/saml2%7Chttp:/shibboleth.net/ns/profiles/saml2/sso/browser%7Chttps:/idp-389ds-test.everettcc.edu/idp/shibboleth%7Curn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST%7C_2dfbb1143bb975720f03d1582c5960c7%7Cjbrock%7Curn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport%7Csid%7C123456789%7C_2aa1a4c562370d0af02cbf0adce804ac%7C>
In the Canvas SAML options I have the following :
Login Attribute : NameID
Identifier Format : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Authentication Context : No value
Message Signing : Not Signed
Thanks for any advise or working examples.
~Jeremy
--
Jeremiah Brock
IT Web, Data and Development Services / Information Security
425-259-8707
jbrock at everettcc.edu<mailto:jbrock at everettcc.edu>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
Jeremiah Brock
IT Web, Data and Development Services / Information Security
425-259-8707
jbrock at everettcc.edu<mailto:jbrock at everettcc.edu>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190520/d00bd149/attachment.html>
More information about the users
mailing list