Configure Canvas with PortalGuard for Single Sign-On
- Stephen Call (Deactivated)
Problem
You want to integrate PortalGuard with the Canvas LMS for Single Sign-On via SAML
Solution
Set up the Relying Party in PortalGuard and Configure Canvas for SAML
How to Integrate with Canvas for SAML SSO
On the PortalGuard Server:
Ensure the pre-requisites for PortalGuard SSO have been completed
See this Knowledge Base Article for additional information
Open the Identity Provider Configuration Editor
Under the 'SAML Websites' tab, click the 'Create' button
Give the new Relying Party a Name and Description that make sense for this application (i.e. Canvas LMS or Test Canvas Integration)
Next to Identifiers, click the 'Add' button
For new SAML integrations with Canvas, the Identifier will be set to the Entity ID defined in Canvas. This typically follows the format:
http://SCHOOL.NAME.instructure.com/saml2
You will be able to confirm this once you move to the Canvas side. If you are unsure, just use the placeholder above for now and you will update it after.
For the Assertion Consumer URL, use the following format:
IMPORTANT NOTE: Canvas' TEST and PROD environments use the same Identifier value. Check the 'Use ACS from SAMLRequest?' checkbox to ensure support for both environments from a single PortalGuard server.
Your end result should resemble the following:
Navigate to the 'Identity Claims' tab
Ensure the correct 'Attribute Store' is selected (this value will determine where user information is pulled from during SSO authentication)
Click the 'Create' button to add a new Identity Claim to this Relying Party
For Name, use "EmailAsNameID"
Ensure the 'Send as NameID?' box is checked
For Schema Type, click the 'Predefined Types' and choose the following from the drop-down:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
You will see a matching value on the Canvas side
Leave Value Type set to 'String Field'
Update the 'Field Name' to "mail" (without the quotation marks)
Your end result should resemble the following:
Save this claim
Navigate to the 'IdP-Initiated' tab
Display Text - this is the label of the tile that your users will see on the PortalGuard SSO Jump Page
Help Text - this is the information that will appear if users hover over the tile but do not click on it.
Display Image - Click on 'Choose Image' and then browse to the thumbnail image you would like to display on the PortalGuard SSO Jump Page. If you have a specific thumbnail that you would like to use, simply paste it into the C:\inetpub\PortalGuard\sso\img\ folder on the PortalGuard server and select it here. Otherwise, choose 'Default.jpg' for now
Save the configuration
On the main screen of the Identity Provider Configuration Editor click 'Apply to Identity Provider'
Click 'Sync'
Still in the Identity Provider Configuration Editor, click on 'General IdP Settings'
Navigate to the 'Response' tab and copy down the 'Issuer' value for use on the Canvas configuration.
Locate the 'PGIdP.cer' file on the PortalGuard Server
This is typically located in the following location:
C:\Program Files\PistolStar\PortalGuard
Double-Click the file and Navigate to the 'Details' tab
Scroll down and locate the 'Thumbprint Value'
Copy the series of pairs to your clipboard and paste into a text editor
Canvas requires the thumbprint to be input with the following conditions:
Each Pair separated by a colon (i.e. ":")
All Upper Case Letters
Simply type out the thumbprint in a new line with all Upper Case letters and separate each pair with a colon.
Copy the entire string and save to a new text file as 'thumbprint.txt' for later use.
Within the Canvas LMS Configuration
You will need to login to the Canvas Instance as an Administrator
Be sure to login to the correct instance (i.e. Production, Test, or Beta)
Click the 'Admin' tile on the right-hand side
Choose 'Authentication'
On the left-hand side, click the dropdown for 'Choose and Authentication' and select 'SAML'
Use the following information to fill in the 'SAML' Authentication settings:
IdP Metadata URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/sso/metadata.ashx
IdP Entity ID - The 'issuer' value from the PortalGuard Identity Provider Configuration Editor
See Steps # 22-23 Above
Log On URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/sso/go.ashx
Log Out URL - This will use the following URL structure: https://YOUR.PORTALGUARD.URL/_layouts/PG/signout.aspx
Certificate Fingerprint - Taken from the .txt file saved during step # 30 above.
Login Attribute - No Change
Identifier Format - No Change - should match the 'Schema Type' referenced in step # 13 above.
Authentication Context - No change
Message Signing - No change
Just In Time Provisioning - No change
IMPORTANT NOTE: To double check the 'Entity ID' For Canvas, confirm with the information presented at the top of this screen under the 'SAML' header. You will see the first sentence which reads "The Canvas SAML Entity ID is..." that value should match what you have listed as the 'Identifier' in step # 6 of the 'On the PortalGuard Server' section above
Save these settings.
Scroll down on the new page and double check the information remains unchanged. Oftentimes, the initial 'Save' clears out the 'Log Out URL' value, and you must update that here before testing.
Under the 'SAML' header, the first sentence provides the endpoint URL to use when accessing Canvas via SAML
Once all settings are verified, test the following authentication scenarios:
Starting at the PortalGuard Website
Navigate to https://YOUR.PG.URL/sso/default.aspx
Login to PortalGuard with an account that can access Canvas
Click the 'Canvas' tile to be granted access to Canvas
Starting at Canvas
Navigate to the SAML Endpoint URL for Canvas (As noted in step #9 above)
After being redirected, login to PortalGuard
You will be redirected into Canvas after authenticating through PortalGuard
NOTE: You can also set SAML to the default method in PortalGuard to initiate SAML directly when hitting your root Canvas URL. Standard LDAP Authentication can then remain on a separate endpoint URL as a backup if necessary.
