Canvas Integration Examples
kwessel at illinois.edu
Tue May 21 12:13:46 EDT 2019
FYI, you’ll probably still want to download that metadata manually and consume it as a local file rather than a file backed http metadata provider. Consuming unsigned metadata automatically intot he IdP is riskier than having to manually update the metadata if they change it. Best option, as you said, is still consuming from InCommon.
And SHA1 is a bad idea, too. SHA-256 is much more secure.
From: users <users-bounces at shibboleth.net> On Behalf Of Jeremiah Brock
Sent: Tuesday, May 21, 2019 11:04 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Canvas Integration Examples
Just a quick follow up - I got it working!
My issue wasn't configs as much as it was a bad signing crt in my idp-metadata.xml.
My working setup (for anyone else stumbling onto this via Google) is :
Context : We are using the student/staff SID as the Login Attribute which ties to our pre-generated Canvas Accounts. In our directory, we populate the employeenumber with this SID.
Canvas SAML Settings :
Login Attribute : sid (this is any attribute that you release to Canvas to tie into the accounts on their end)
Identifier Format : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Authentication Context : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Message Signing : RSA-SHA1
Shibboleth IDP Settings :
<!-- Might look at pointing this to incommon in the future -->
<AttributeDefinition xsi:type="Simple" id="sid" sourceAttributeID="employeenumber">
<Dependency ref="389DSLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sid" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sid" encodeType="false" />
<PolicyRequirementRule xsi:type="Requester" value="http://everettcc.instructure.com/saml2"/>
Have a great day fellow Shibboleth users!
On Mon, May 20, 2019 at 3:36 PM Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
On 5/20/19, 6:27 PM, "Jeremiah Brock" <jbrock at everettcc.edu<mailto:jbrock at everettcc.edu>> wrote:
> Scott if you have an in with Canvas - might want to suggest they update their documentation for integrating with
I don't encourage vendors to do anything but document their SAML requirements. Shibboleth configuration is up to our documentation, not theirs.
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
IT Web, Data and Development Services / Information Security
jbrock at everettcc.edu<mailto:jbrock at everettcc.edu>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users