How do I configure third-party authentication providers for a Canvas account?
Canvas supports authentication with a variety of third-party identity providers, which can be configured in the Canvas interface. Each provider requires the admin to set an attribute to be associated with the account, such as a user ID, email, or login. Currently supported integrations include Facebook, Github, LinkedIn, Twitter, Google Apps, Microsoft (Office 365), Clever, CAS, LDAP, OpenID, and SAML. Some providers require custom components for configuration. All providers support Single Sign On (SSO) authentication.
Third-party authentication providers can be used in addition to Canvas authentication.
Once a provider has been saved in Canvas, the provider’s authentication login credentials must be added to each Canvas user’s account through SIS CSV files or the Authentication Providers API. (Currently there is no support for adding user credentials through the Canvas interface.) Each authentication provider supports specifically recognized parameters; some providers may recognize additional parameters. Unrecognized parameters are not supported.
Just In Time Provisioning
As part of the authentication process, admins can apply Just in Time Provisioning, which tells Canvas to automatically create a user's accounts if one does not already exist. Currently when a user logs in to Canvas using a third-party authentication system, Canvas searches users in the account looking for a matching user parameter for that service. If a matching parameter is not found, Canvas returns the user to the authentication provider portal with a message the user could not be found. When Just in Time Provisioning (JIT) is enabled, Canvas automatically creates the user using an ID that matches the username used with the authentication provider.
JIT provisioning must be configured via API for the specific authentication provider (see the Authentication Providers API). It does not need to be configured for individual users via API or SIS.
As a complement to JIT provisioning, all authentication providers support federated attributes. When users log into Canvas, more information beyond just ID is passed to Canvas, and that information is associated with their existing user accounts. More information can be found in the Authentication Providers API.
Save Provider Data
Enter the data required by the service . Some providers require custom components for configuration.
To enable Just in Time Provisioning, click the Just in Time Provisioning checkbox .
Set Federated Attributes
To use a federated attribute, select a Canvas provider attribute in the drop-down menu . This is the attribute that you want to use in Canvas. Available attributes include display name, email, given name, integration ID, locale, name, sis user ID, sortable name, surname, and time zone.
Click the Add Attribute button .
In the Provider Attribute drop-down menu, choose the attribute value that will match the selected Canvas attribute. Available values include email, family name, given name, locale, name, and sub (subject identifier—a user ID commonly used with Open ID Connect, Google, and Microsoft specifications).
Note that not all values will exactly match the Canvas attribute. For instance, if you set email as an attribute in Canvas, the provider attribute value options also include email, meaning that the email address from the provider will also be updated for the email address in Canvas. However, some Canvas attributes may not align with the available provider attribute values.
Remove All Authentication
To remove all previously configured authentication providers, click the Remove All Authentication button.
Note: The remove button does not affect SSO Settings or Canvas authentication.