Canvas Integration Examples

Wessel, Keith kwessel at illinois.edu
Tue May 21 12:13:46 EDT 2019 

FYI, you’ll probably still want to download that metadata manually and consume it as a local file rather than a file backed http metadata provider. Consuming unsigned metadata automatically intot he IdP is riskier than having to manually update the metadata if they change it. Best option, as you said, is still consuming from InCommon.

And SHA1 is a bad idea, too. SHA-256 is much more secure.

Keith


From: users <users-bounces at shibboleth.net> On Behalf Of Jeremiah Brock
Sent: Tuesday, May 21, 2019 11:04 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Canvas Integration Examples

Just a quick follow up - I got it working!

My issue wasn't configs as much as it was a bad signing crt in my idp-metadata.xml.

My working setup (for anyone else stumbling onto this via Google) is :

Context : We are using the student/staff SID as the Login Attribute which ties to our pre-generated Canvas Accounts.  In our directory, we populate the employeenumber with this SID.

Canvas SAML Settings :

Login Attribute : sid    (this is any attribute that you release to Canvas to tie into the accounts on their end)
Identifier Format : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Authentication Context : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Message Signing : RSA-SHA1

Shibboleth IDP Settings :

metadata-providers.xml

<!-- Might look at pointing this to incommon in the future -->
<MetadataProvider id="CanvasMetadata"
                xsi:type="FileBackedHTTPMetadataProvider"
                backingFile="/opt/shibboleth-idp/metadata/canvas-metadata.xml"
                metadataURL="https://everettcc.instructure.com/saml2"/>

attribute-resolver.xml

<AttributeDefinition xsi:type="Simple" id="sid" sourceAttributeID="employeenumber">
    <Dependency ref="389DSLDAP" />
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sid" encodeType="false" />
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sid" encodeType="false" />
</AttributeDefinition>


attribute-filter.xml

<AttributeFilterPolicy id="InstructureCanvasPolicy">
    <PolicyRequirementRule xsi:type="Requester" value="http://everettcc.instructure.com/saml2"/>
    <AttributeRule attributeID="sid">
        <PermitValueRule xsi:type="ANY"/>
    </AttributeRule>
</AttributeFilterPolicy>


Have a great day fellow Shibboleth users!

~Jeremy

On Mon, May 20, 2019 at 3:36 PM Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
On 5/20/19, 6:27 PM, "Jeremiah Brock" <jbrock at everettcc.edu<mailto:jbrock at everettcc.edu>> wrote:

> Scott if you have an in with Canvas - might want to suggest they update their documentation for integrating with
> Shibboleth.

I don't encourage vendors to do anything but document their SAML requirements. Shibboleth configuration is up to our documentation, not theirs.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>


--
Jeremiah Brock
IT Web, Data and Development Services / Information Security
425-259-8707
jbrock at everettcc.edu<mailto:jbrock at everettcc.edu>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190521/8ed019b6/attachment.html>

More information about the users mailing list