Canvas Integration Examples

Wessel, Keith kwessel at
Tue May 21 12:13:46 EDT 2019

FYI, you’ll probably still want to download that metadata manually and consume it as a local file rather than a file backed http metadata provider. Consuming unsigned metadata automatically intot he IdP is riskier than having to manually update the metadata if they change it. Best option, as you said, is still consuming from InCommon.

And SHA1 is a bad idea, too. SHA-256 is much more secure.


From: users <users-bounces at> On Behalf Of Jeremiah Brock
Sent: Tuesday, May 21, 2019 11:04 AM
To: Shib Users <users at>
Subject: Re: Canvas Integration Examples

Just a quick follow up - I got it working!

My issue wasn't configs as much as it was a bad signing crt in my idp-metadata.xml.

My working setup (for anyone else stumbling onto this via Google) is :

Context : We are using the student/staff SID as the Login Attribute which ties to our pre-generated Canvas Accounts.  In our directory, we populate the employeenumber with this SID.

Canvas SAML Settings :

Login Attribute : sid    (this is any attribute that you release to Canvas to tie into the accounts on their end)
Identifier Format : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Authentication Context : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Message Signing : RSA-SHA1

Shibboleth IDP Settings :


<!-- Might look at pointing this to incommon in the future -->
<MetadataProvider id="CanvasMetadata"


<AttributeDefinition xsi:type="Simple" id="sid" sourceAttributeID="employeenumber">
    <Dependency ref="389DSLDAP" />
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sid" encodeType="false" />
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sid" encodeType="false" />


<AttributeFilterPolicy id="InstructureCanvasPolicy">
    <PolicyRequirementRule xsi:type="Requester" value=""/>
    <AttributeRule attributeID="sid">
        <PermitValueRule xsi:type="ANY"/>

Have a great day fellow Shibboleth users!


On Mon, May 20, 2019 at 3:36 PM Cantor, Scott <cantor.2 at<mailto:cantor.2 at>> wrote:
On 5/20/19, 6:27 PM, "Jeremiah Brock" <jbrock at<mailto:jbrock at>> wrote:

> Scott if you have an in with Canvas - might want to suggest they update their documentation for integrating with
> Shibboleth.

I don't encourage vendors to do anything but document their SAML requirements. Shibboleth configuration is up to our documentation, not theirs.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

Jeremiah Brock
IT Web, Data and Development Services / Information Security
jbrock at<mailto:jbrock at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list