Canvas Integration Examples

Jeremiah Brock jbrock at everettcc.edu
Tue May 21 12:35:38 EDT 2019 

Thanks Keith,

    I have made both your suggestions.

    For anyone following the thread :

The *canvas-metadata.xml* is populated from https://<yourschool>.
instructure.com/saml2 and on Unix systems can be performed as :

wget https://<yourschool>.instructure.com/saml2 -O canvas-metadata.xml


*metadata-providers.xml*

<MetadataProvider id="CanvasMetadata" xsi:type="FilesystemMetadataProvider"
metadataFile="%{idp.home}/metadata/canvas-metadata.xml"/>



~Jeremy


On Tue, May 21, 2019 at 9:13 AM Wessel, Keith <kwessel at illinois.edu> wrote:

> FYI, you’ll probably still want to download that metadata manually and
> consume it as a local file rather than a file backed http metadata
> provider. Consuming unsigned metadata automatically intot he IdP is riskier
> than having to manually update the metadata if they change it. Best option,
> as you said, is still consuming from InCommon.
>
>
>
> And SHA1 is a bad idea, too. SHA-256 is much more secure.
>
>
>
> Keith
>
>
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Jeremiah Brock
> *Sent:* Tuesday, May 21, 2019 11:04 AM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: Canvas Integration Examples
>
>
>
> Just a quick follow up - I got it working!
>
>
>
> My issue wasn't configs as much as it was a bad signing crt in my
> idp-metadata.xml.
>
>
>
> My working setup (for anyone else stumbling onto this via Google) is :
>
>
>
> *Context *: We are using the student/staff SID as the Login Attribute
> which ties to our pre-generated Canvas Accounts.  In our directory, we
> populate the *employeenumber* with this SID.
>
>
>
> *Canvas SAML Settings :*
>
>
>
> *Login Attribute* : sid    (this is any attribute that you release to
> Canvas to tie into the accounts on their end)
>
> *Identifier Format*
> : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>
> *Authentication Context*
> : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>
> *Message Signing* : RSA-SHA1
>
>
>
> *Shibboleth IDP Settings :*
>
>
>
> *metadata-providers.xml*
>
>
>
> <!-- Might look at pointing this to incommon in the future -->
>
> <MetadataProvider id="CanvasMetadata"
>
>                 xsi:type="FileBackedHTTPMetadataProvider"
>
>
> backingFile="/opt/shibboleth-idp/metadata/canvas-metadata.xml"
>
>                 metadataURL="https://everettcc.instructure.com/saml2"/>
>
>
>
> *attribute-resolver.xml*
>
>
>
> <AttributeDefinition xsi:type="Simple" id="sid"
> sourceAttributeID="employeenumber">
>
>     <Dependency ref="389DSLDAP" />
>
>     <AttributeEncoder xsi:type="SAML1String"
> name="urn:mace:dir:attribute-def:sid" encodeType="false" />
>
>     <AttributeEncoder xsi:type="SAML2String"
> name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sid"
> encodeType="false" />
>
> </AttributeDefinition>
>
>
>
>
>
> *attribute-filter.xml*
>
>
>
> <AttributeFilterPolicy id="InstructureCanvasPolicy">
>
>     <PolicyRequirementRule xsi:type="Requester" value="
> http://everettcc.instructure.com/saml2"/>
>
>     <AttributeRule attributeID="sid">
>
>         <PermitValueRule xsi:type="ANY"/>
>
>     </AttributeRule>
>
> </AttributeFilterPolicy>
>
>
>
>
>
> Have a great day fellow Shibboleth users!
>
>
>
> ~Jeremy
>
>
>
> On Mon, May 20, 2019 at 3:36 PM Cantor, Scott <cantor.2 at osu.edu> wrote:
>
> On 5/20/19, 6:27 PM, "Jeremiah Brock" <jbrock at everettcc.edu> wrote:
>
> > Scott if you have an in with Canvas - might want to suggest they update
> their documentation for integrating with
> > Shibboleth.
>
> I don't encourage vendors to do anything but document their SAML
> requirements. Shibboleth configuration is up to our documentation, not
> theirs.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
>
>
> --
>
> Jeremiah Brock
> IT Web, Data and Development Services / Information Security
>
> 425-259-8707
> jbrock at everettcc.edu
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net



-- 
Jeremiah Brock
IT Web, Data and Development Services / Information Security
425-259-8707
jbrock at everettcc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190521/18cdd139/attachment.html>

More information about the users mailing list