Canvas Integration Examples

Jeremiah Brock jbrock at everettcc.edu
Tue May 21 12:03:45 EDT 2019 

Just a quick follow up - I got it working!

My issue wasn't configs as much as it was a bad signing crt in my
idp-metadata.xml.

My working setup (for anyone else stumbling onto this via Google) is :

*Context *: We are using the student/staff SID as the Login Attribute which
ties to our pre-generated Canvas Accounts.  In our directory, we populate
the *employeenumber* with this SID.

*Canvas SAML Settings :*

*Login Attribute* : sid    (this is any attribute that you release to
Canvas to tie into the accounts on their end)
*Identifier Format* : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
*Authentication Context*
: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
*Message Signing* : RSA-SHA1


*Shibboleth IDP Settings :*

*metadata-providers.xml*


<!-- Might look at pointing this to incommon in the future -->
<MetadataProvider id="CanvasMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="/opt/shibboleth-idp/metadata/canvas-metadata.xml"
metadataURL="https://everettcc.instructure.com/saml2"/>


*attribute-resolver.xml*

<AttributeDefinition xsi:type="Simple" id="sid"
sourceAttributeID="employeenumber">
    <Dependency ref="389DSLDAP" />
    <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:sid" encodeType="false" />
    <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sid"
encodeType="false" />
</AttributeDefinition>



*attribute-filter.xml*


<AttributeFilterPolicy id="InstructureCanvasPolicy">

    <PolicyRequirementRule xsi:type="Requester" value="
http://everettcc.instructure.com/saml2"/>

    <AttributeRule attributeID="sid">

        <PermitValueRule xsi:type="ANY"/>

    </AttributeRule>

</AttributeFilterPolicy>



Have a great day fellow Shibboleth users!

~Jeremy

On Mon, May 20, 2019 at 3:36 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 5/20/19, 6:27 PM, "Jeremiah Brock" <jbrock at everettcc.edu> wrote:
>
> > Scott if you have an in with Canvas - might want to suggest they update
> their documentation for integrating with
> > Shibboleth.
>
> I don't encourage vendors to do anything but document their SAML
> requirements. Shibboleth configuration is up to our documentation, not
> theirs.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Jeremiah Brock
IT Web, Data and Development Services / Information Security
425-259-8707
jbrock at everettcc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190521/4d765642/attachment.html>

More information about the users mailing list