Authentication Providers

An AuthenticationProvider object looks like:

{
  // Valid for SAML providers.
  "identifier_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  // Valid for all providers.
  "auth_type": "saml",
  // Valid for all providers.
  "id": 1649,
  // Valid for SAML providers.
  "log_out_url": "http://example.com/saml1/slo",
  // Valid for SAML and CAS providers.
  "log_in_url": "http://example.com/saml1/sli",
  // Valid for SAML providers.
  "certificate_fingerprint": "111222",
  // Valid for SAML providers.
  "requested_authn_context": null,
  // Valid for LDAP providers.
  "auth_host": "127.0.0.1",
  // Valid for LDAP providers.
  "auth_filter": "filter1",
  // Valid for LDAP providers.
  "auth_over_tls": null,
  // Valid for LDAP and CAS providers.
  "auth_base": null,
  // Valid for LDAP providers.
  "auth_username": "username1",
  // Valid for LDAP providers.
  "auth_port": null,
  // Valid for all providers.
  "position": 1,
  // Valid for SAML providers.
  "idp_entity_id": "http://example.com/saml1",
  // Valid for SAML providers.
  "login_attribute": "nameid",
  // Valid for SAML providers.
  "sig_alg": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
  // Just In Time provisioning. Valid for all providers except Canvas (which has
  // the similar in concept self_registration setting).
  "jit_provisioning": null,
  "federated_attributes": null,
  // If multi-factor authentication is required when logging in with this
  // authentication provider. The account must not have MFA disabled.
  "mfa_required": null
}

A SSOSettings object looks like:

// Settings that are applicable across an account's authentication
// configuration, even if there are multiple individual providers
{
  // The label used for unique login identifiers.
  "login_handle_name": "Username",
  // The url to redirect users to for password resets. Leave blank for default
  // Canvas behavior
  "change_password_url": "https://example.com/reset_password",
  // If a discovery url is set, canvas will forward all users to that URL when
  // they need to be authenticated. That page will need to then help the user
  // figure out where they need to go to log in. If no discovery url is
  // configured, the first configuration will be used to attempt to authenticate
  // the user.
  "auth_discovery_url": "https://example.com/which_account",
  // If an unknown user url is set, Canvas will forward to that url when a service
  // authenticates a user, but that user does not exist in Canvas. The default
  // behavior is to present an error.
  "unknown_user_url": "https://example.com/register_for_canvas"
}

A FederatedAttributesConfig object looks like:

// A mapping of Canvas attribute names to attribute names that a provider may
// send, in order to update the value of these attributes when a user logs in.
// The values can be a FederatedAttributeConfig, or a raw string corresponding
// to the "attribute" property of a FederatedAttributeConfig. In responses, full
// FederatedAttributeConfig objects are returned if JIT provisioning is enabled,
// otherwise just the attribute names are returned.
{
  // A comma separated list of role names to grant to the user. Note that these
  // only apply at the root account level, and not sub-accounts. If the attribute
  // is not marked for provisioning only, the user will also be removed from any
  // other roles they currently hold that are not still specified by the IdP.
  "admin_roles": null,
  // The full display name of the user
  "display_name": null,
  // The user's e-mail address
  "email": null,
  // The first, or given, name of the user
  "given_name": null,
  // The secondary unique identifier for SIS purposes
  "integration_id": null,
  // The user's preferred locale/language
  "locale": null,
  // The full name of the user
  "name": null,
  // The unique SIS identifier
  "sis_user_id": null,
  // The full name of the user for sorting purposes
  "sortable_name": null,
  // The surname, or last name, of the user
  "surname": null,
  // The user's preferred time zone
  "timezone": null
}

A FederatedAttributeConfig object looks like:

// A single attribute name to be federated when a user logs in
{
  // The name of the attribute as it will be sent from the authentication provider
  "attribute": "mail",
  // If the attribute should be applied only when provisioning a new user, rather
  // than all logins
  "provisioning_only": false,
  // (only for email) If the email address is trusted and should be automatically
  // confirmed
  "autoconfirm": false
}

GET /api/v1/accounts/:account_id/authentication_providers

Scope: url:GET|/api/v1/accounts/:account_id/authentication_providers

Returns a paginated list of authentication providers

Example Request:

curl 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers' \
     -H 'Authorization: Bearer <token>'

GET /api/v1/accounts/:account_id/authentication_providers/:id

Scope: url:GET|/api/v1/accounts/:account_id/authentication_providers/:id

Get the specified authentication provider

Example Request:

curl 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers/<id>' \
     -H 'Authorization: Bearer <token>'

POST /api/v1/accounts/:account_id/authentication_providers

Scope: url:POST|/api/v1/accounts/:account_id/authentication_providers

Add external authentication provider(s) for the account. Services may be Apple, CAS, Facebook, GitHub, Google, LDAP, LinkedIn, Microsoft, OpenID Connect, or SAML.

Each authentication provider is specified as a set of parameters as described below. A provider specification must include an ‘auth_type’ parameter with a value of ‘apple’, ‘canvas’, ‘cas’, ‘clever’, ‘facebook’, ‘github’, ‘google’, ‘ldap’, ‘linkedin’, ‘microsoft’, ‘openid_connect’, or ‘saml’. The other recognized parameters depend on this auth_type; unrecognized parameters are discarded. Provider specifications not specifying a valid auth_type are ignored.

You can set the ‘position’ for any provider. The config in the 1st position is considered the default. You can set ‘jit_provisioning’ for any provider besides Canvas. You can set ‘mfa_required’ for any provider.

For Apple, the additional recognized parameters are:

  • client_id [Required]

    The developer’s client identifier, as provided by WWDR. Not available if configured globally for Canvas.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘sub’ (the default), or ‘email’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘email’, ‘firstName’, ‘lastName’, and ‘sub’.

For Canvas, the additional recognized parameter is:

  • self_registration

    ‘all’, ‘none’, or ‘observer’ - who is allowed to register as a new user

For CAS, the additional recognized parameters are:

  • auth_base

    The CAS server’s URL.

  • log_in_url [Optional]

    An alternate SSO URL for logging into CAS. You probably should not set this.

For Clever, the additional recognized parameters are:

  • client_id [Required]

    The Clever application’s Client ID. Not available if configured globally for Canvas.

  • client_secret [Required]

    The Clever application’s Client Secret. Not available if configured globally for Canvas.

  • district_id [Optional]

    A district’s Clever ID. Leave this blank to let Clever handle the details with its District Picker. This is required for Clever Instant Login to work in a multi-tenant environment.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘id’ (the default), ‘sis_id’, ‘email’, ‘student_number’, or ‘teacher_number’. Note that some fields may not be populated for all users at Clever.

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘id’, ‘sis_id’, ‘email’, ‘student_number’, and ‘teacher_number’.

For Facebook, the additional recognized parameters are:

  • app_id [Required]

    The Facebook App ID. Not available if configured globally for Canvas.

  • app_secret [Required]

    The Facebook App Secret. Not available if configured globally for Canvas.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘id’ (the default), or ‘email’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘email’, ‘first_name’, ‘id’, ‘last_name’, ‘locale’, and ‘name’.

For GitHub, the additional recognized parameters are:

  • domain [Optional]

    The domain of a GitHub Enterprise installation. I.e. github.mycompany.com. If not set, it will default to the public github.com.

  • client_id [Required]

    The GitHub application’s Client ID. Not available if configured globally for Canvas.

  • client_secret [Required]

    The GitHub application’s Client Secret. Not available if configured globally for Canvas.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘id’ (the default), or ‘login’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘email’, ‘id’, ‘login’, and ‘name’.

For Google, the additional recognized parameters are:

  • client_id [Required]

    The Google application’s Client ID. Not available if configured globally for Canvas.

  • client_secret [Required]

    The Google application’s Client Secret. Not available if configured globally for Canvas.

  • hosted_domain [Optional]

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘sub’ (the default), or ‘email’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘email’, ‘family_name’, ‘given_name’, ‘locale’, ‘name’, and ‘sub’.

For LDAP, the additional recognized parameters are:

  • auth_host

    The LDAP server’s URL.

  • auth_port [Optional, Integer]

    The LDAP server’s TCP port. (default: 389)

  • auth_over_tls [Optional]

    Whether to use TLS. Can be ‘simple_tls’, or ‘start_tls’. For backwards compatibility, booleans are also accepted, with true meaning simple_tls. If not provided, it will default to start_tls.

  • auth_base [Optional]

    A default treebase parameter for searches performed against the LDAP server.

  • auth_filter

    LDAP search filter. Use {{login}} as a placeholder for the username supplied by the user. For example: “(sAMAccountName={{login}})”.

  • identifier_format [Optional]

    The LDAP attribute to use to look up the Canvas login. Omit to use the username supplied by the user.

  • auth_username

    Username

  • auth_password

    Password

For LinkedIn, the additional recognized parameters are:

  • client_id [Required]

    The LinkedIn application’s Client ID. Not available if configured globally for Canvas.

  • client_secret [Required]

    The LinkedIn application’s Client Secret. Not available if configured globally for Canvas.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘id’ (the default), or ‘emailAddress’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘emailAddress’, ‘firstName’, ‘id’, ‘formattedName’, and ‘lastName’.

For Microsoft, the additional recognized parameters are:

  • application_id [Required]

    The application’s ID.

  • application_secret [Required]

    The application’s Client Secret (Password)

  • tenant [Optional]

  • login_attribute [Optional]

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘email’, ‘name’, ‘preferred_username’, ‘oid’, and ‘sub’.

For OpenID Connect, the additional recognized parameters are:

  • client_id [Required]

    The application’s Client ID.

  • client_secret [Required]

    The application’s Client Secret.

  • authorize_url [Required]

    The URL for getting starting the OAuth 2.0 web flow

  • token_url [Required]

    The URL for exchanging the OAuth 2.0 authorization code for an Access Token and ID Token

  • scope [Optional]

  • end_session_endpoint [Optional]

  • userinfo_endpoint [Optional]

    URL to request additional claims from. If the initial ID Token received from the provider cannot be used to satisfy the login_attribute and all federated_attributes, this endpoint will be queried for additional information.

  • login_attribute [Optional]

    The attribute of the ID Token to look up the user’s login in Canvas. Defaults to ‘sub’.

  • federated_attributes [Optional]

For SAML, the additional recognized parameters are:

  • metadata [Optional]

    An XML document to parse as SAML metadata, and automatically populate idp_entity_id, log_in_url, log_out_url, certificate_fingerprint, and identifier_format

  • metadata_uri [Optional]

  • idp_entity_id

    The SAML IdP’s entity ID

  • log_in_url

    The SAML service’s SSO target URL

  • log_out_url [Optional]

    The SAML service’s SLO target URL

  • certificate_fingerprint

    The SAML service’s certificate fingerprint.

  • identifier_format

    The SAML service’s identifier format. Must be one of:

    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    • urn:oasis:names:tc:SAML:2.0:nameid-format:entity

    • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

    • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

    • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

    • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • requested_authn_context [Optional]

    The SAML AuthnContext

  • sig_alg [Optional]

    If set, AuthnRequest, LogoutRequest, and LogoutResponse messages are signed with the corresponding algorithm. Supported algorithms are:

    RSA-SHA1 and RSA-SHA256 are acceptable aliases.

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Any value is allowed for the provider attribute names.

Example Request:

# Create LDAP config
curl 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers' \
     -F 'auth_type=ldap' \
     -F 'auth_host=ldap.mydomain.edu' \
     -F 'auth_filter=(sAMAccountName={{login}})' \
     -F 'auth_username=username' \
     -F 'auth_password=bestpasswordever' \
     -F 'position=1' \
     -H 'Authorization: Bearer <token>'
# Create SAML config
curl 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers' \
     -F 'auth_type=saml' \
     -F 'idp_entity_id=<idp_entity_id>' \
     -F 'log_in_url=<login_url>' \
     -F 'log_out_url=<logout_url>' \
     -F 'certificate_fingerprint=<fingerprint>' \
     -H 'Authorization: Bearer <token>'
# Create CAS config
curl 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers' \
     -F 'auth_type=cas' \
     -F 'auth_base=cas.mydomain.edu' \
     -F 'log_in_url=<login_url>' \
     -H 'Authorization: Bearer <token>'

PUT /api/v1/accounts/:account_id/authentication_providers/:id

Scope: url:PUT|/api/v1/accounts/:account_id/authentication_providers/:id

Example Request:

# update SAML config
curl -X PUT 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers/<id>' \
     -F 'idp_entity_id=<new_idp_entity_id>' \
     -F 'log_in_url=<new_url>' \
     -H 'Authorization: Bearer <token>'

DELETE /api/v1/accounts/:account_id/authentication_providers/:id

Scope: url:DELETE|/api/v1/accounts/:account_id/authentication_providers/:id

Delete the config

Example Request:

curl -X DELETE 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers/<id>' \
     -H 'Authorization: Bearer <token>'

PUT /api/v1/accounts/:account_id/authentication_providers/:id/restore

Scope: url:PUT|/api/v1/accounts/:account_id/authentication_providers/:id/restore

Restore an authentication provider back to active that was previously deleted. Only available to admins who can manage_account_settings for given root account.

Example Request:

curl -X PUT 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers/<id>/restore' \
     -H 'Authorization: Bearer <token>'

GET /api/v1/accounts/:account_id/sso_settings

Scope: url:GET|/api/v1/accounts/:account_id/sso_settings

The way to get the current state of each account level setting that’s relevant to Single Sign On configuration

You can list the current state of each setting with “update_sso_settings”

Example Request:

curl -XGET 'https://<canvas>/api/v1/accounts/<account_id>/sso_settings' \
     -H 'Authorization: Bearer <token>'

PUT /api/v1/accounts/:account_id/sso_settings

Scope: url:PUT|/api/v1/accounts/:account_id/sso_settings

For various cases of mixed SSO configurations, you may need to set some configuration at the account level to handle the particulars of your setup.

This endpoint accepts a PUT request to set several possible account settings. All setting are optional on each request, any that are not provided at all are simply retained as is. Any that provide the key but a null-ish value (blank string, null, undefined) will be UN-set.

You can list the current state of each setting with “show_sso_settings”

Example Request:

curl -XPUT 'https://<canvas>/api/v1/accounts/<account_id>/sso_settings' \
     -F 'sso_settings[auth_discovery_url]=<new_url>' \
     -F 'sso_settings[change_password_url]=<new_url>' \
     -F 'sso_settings[login_handle_name]=<new_handle>' \
     -H 'Authorization: Bearer <token>'

Last updated

Was this helpful?