development:
entity_id: "http://localhost:3000/saml2"
tech_contact_name: "Administrator"
tech_contact_email: ""
encryption: xmlsec_binary: /usr/local/bin/xmlsec1
private_key: /Applications/XAMPP/simplesamlphp/cert/server.pem
certificate: /Applications/XAMPP/simplesamlphp/cert/server.crtWe are using Canvas LMS but want to use our own existing authentication, so our users don’t need a second set of credentials to login to Canvas. I struggled a little bit with this so thought of posting this for reference. To get Canvas LMS working with third party authentication, you really have two options
- Host canvas LMS yourself and just plug-in a custom authentication module. Canvas is an open source LMS solution so this should work just fine.
- Setup a SAML identity provider (idp) and setup your account in Canvas with SAML authentication
We chose option #2 because we were using a hosted version of Canvas. There is some documentation here on setting up various authentication profiles in Canvas.
We used SimpleSaml as our SAML Identity Provider. SimpleSaml is very easy to setup and comes pre-packaged with multiple authentication providers (local text based basic authentication, OpenId etc.). Our plan was to write a custom authentication provider within SimpleSaml which would leverage our own custom username/password database.
To set all this up just do the following.
-
- Canvas for Saml authentication. If you are testing with a local deployment of Canvas, edit config/saml.yml and add the following
- Configure you Canvas account (super user account under which all others users are created) to use SAML authentication. Here is a screenshot of our configuration
- Install SimpleSaml and enable SAML authentication by editing simplesaml/config/config.php and declaring
'enable.saml20-idp' = true,- Edit simplesaml/config/authsources by setting up an appropriate authentication source. For testing we just used a in-memory Map of username-passwords as follows
'example-userpass' = array(
'exampleauth:UserPass',
':test' = array(
'uid' = array(''),
'email' = '',
'eduPersonAffiliation' = array('member', 'student'),
),
),- Edit simplesaml/metadata/saml20-sp-remote.php and set Canvas as a remote Service Provider (Canvas deploys the SAML service provider by default)
$metadata['http://localhost:3000/saml2'] = array('AssertionConsumerService' =
'http://localhost:3000/saml_consume',
'SingleLogoutService' ='http://localhost:3000/saml_logout',
'NameIDFormat' = urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' = 'email', 'simplesaml.attributes'=FALSE,
);- I used the certificates that came with SimpleSaml. Just calculate the MD5 fingerprint of the certificate and use it to configure canvas (step #1). This establishes “trust” between Canvas and SimpleSaml
That should be it. Now when you try and go to the Canvas homepage at http://localhost:3000, it will forward you to the following Screen
Once you login here (using the credentials in the example-userpass authentication provider),
you should be logged in to Canvas automatically. Remember the test user () should already exist in Canvas and have a login id of .
I will post a follow up on creating a custom authentication provider in SimpleSaml….stay tuned
