How do I configure third-party authentication providers for a Canvas account?
Canvas supports authentication with a variety of third-party identity providers, which can be configured in the Canvas interface. Each provider requires the admin to set an attribute to be associated with the account, such as a user ID, email, or login. Currently supported integrations include Apple, Facebook, Github, LinkedIn, Twitter, Google Apps, Microsoft (Office 365), Clever, CAS, LDAP, OpenID, and SAML. Some providers require custom components for configuration. All providers support Single Sign On (SSO) authentication.
Third-party authentication providers can be used in addition to Canvas authentication.
User Credentials
Once a provider has been saved in Canvas, the provider’s authentication login credentials must be added to each Canvas user’s account through SIS CSV files or the Authentication Providers API. (Currently there is no support for adding user credentials through the Canvas interface.) Each authentication provider supports specifically recognized parameters; some providers may recognize additional parameters. Unrecognized parameters are not supported.
For additional help with authentication systems, including Single Sign On (SSO) support, view the integration documents in the Canvas Community.
Just In Time Provisioning
As part of the authentication process, admins can apply Just in Time Provisioning, which tells Canvas to automatically create a user's accounts if one does not already exist. Currently when a user logs in to Canvas using a third-party authentication system, Canvas searches users in the account looking for a matching user parameter for that service. If a matching parameter is not found, Canvas returns the user to the authentication provider portal with a message the user could not be found. When Just in Time Provisioning (JIT) is enabled, Canvas automatically creates the user using an ID that matches the username used with the authentication provider.
JIT provisioning must be configured via API for the specific authentication provider (see the Authentication Providers API). It does not need to be configured for individual users via API or SIS.
Federated Attributes
As a complement to JIT provisioning, all authentication providers support federated attributes. When users log into Canvas, more information beyond just ID is passed to Canvas, and that information is associated with their existing user accounts. More information can be found in the Authentication Providers API.
Open Account
In Global Navigation, click the Admin link [1], then click the name of the account [2].
Open Authentication
In Account Navigation, click the Authentication link.
Choose Provider
In the Authentication drop-down menu, select an authentication service.
Note: If your account is part of an established trust account, you can select Trusted Canvas instance from the Identity Provider drop-down menu. Learn more about configuring trusted Canvas instance authentication.
Save Provider Data
Enter the data required by the service [1]. Some providers require custom components for configuration.
To enable Just in Time Provisioning, click the Just in Time Provisioning checkbox [2].
Set Federated Attributes
To use a federated attribute, select a Canvas provider attribute in the drop-down menu [1]. This is the attribute that you want to use in Canvas. Available attributes include admin roles, display name, email, given name, integration ID, locale, name, sis user ID, sortable name, surname, and time zone.
Click the Add Attribute button [2].
In the Provider Attribute drop-down menu, choose the attribute value that will match the selected Canvas attribute. Available values include email, family name, given name, locale, name, and sub (subject identifier—a user ID commonly used with Open ID Connect, Google, and Microsoft specifications).
Note that not all values will exactly match the Canvas attribute. For instance, if you set email as an attribute in Canvas, the provider attribute value options also include email, meaning that the email address from the provider will also be updated for the email address in Canvas. However, some Canvas attributes may not align with the available provider attribute values.
Require Multi-Factor Authentication
Canvas enforces MFA is functionally equivalent to the legacy UIs checkbox for MFA Required being enabled; any accounts that previously had the legacy MFA Required checkbox enabled have this option selected.
To have Canvas enforce the MFA, select the Canvas enforces MFA option [1]. To have SMS carriers send one-time passcodes, click the Send one-time passcodes via SMS (US carriers only) checkbox [2].
To have the provider enforce the MFA, select Provider enforces MFA option [3].
To have the user opt in, select User can opt in to MFA option [4].
Note: Your institutions Customer Success Manager can set MFA to the following: Disabled, Optional, Required for Admins, and Required.
Save Data
Click the Save button.
Manage Provider
To change the position of your authentication providers, click the position menu [1] and choose the placement number for the new position. Positions affect the Discovery URL when an account has configured SSO Settings.
To delete the provider, click the Delete button [2].
Manage SAML Authentication
If you are using SAML authentication, you can manual refresh SAML metadata by clicking the Refresh Metadata button.
Remove Authentication
To remove all previously configured authentication providers, click the Remove Authentication button.
Note: The remove button does not affect SSO Settings or Canvas authentication.
Confirm Removal
Removing all authentication methods may affect your students' ability to log in to Canvas. To confirm, click the OK button.