Canvas LMS Single Sign On (SSO) with WordPress as IDP | Login into Canvas LMS using WordPress

 Pre-requisite: Download And Installation

• To integrate the WordPress site as an Identity Provider, you will need to install the miniOrange
  Login using WordPress Users ( WP as SAML IDP ) Plugin:

Step 1: Configure Canvas LMS as the Service Provider:

• Open the WordPress site.
• Install and activate the Login using WordPress Users ( WP as SAML IDP ) plugin on your WordPress site
  which is acting as Identity Provider.
• Go to the WordPress IDP plugin, navigate to the IDP Metadata tab. Here, you can find the Identity
  Provider Metadata URL or you can Download the Metadata File.
• You will find IDP Entity ID, SAML Login URL, SAML Logout URL (Premium Feature), Certificate.

You would need these to configure the Service provider(Canvas LMS).



 Instructions:

• Login to your Canvas LMS domain as an Account Administrator.
• Switch to Admin view by clicking on the corresponding link from the bottom of the screen.
• Select Admin from the left pane and select the domain for which you wish to enable Single sign-on.


• Click on Authentication in the left pane and navigate to SAML

Enter the values by referring to the table below.

IDP Metadata URI	Enter the Metadata URL that points to the metadata document.
IDP Entity ID	Enter the IDP Entity value that you got from the previous step.
Log On URL	Enter the SAML Login URL that you got from the previous step.
Log Out URL	Enter the SAML Logout URL(Premium feature) that you got from the previous step.
Certificate Fingerprint	Follow the steps below to copy the Thumbprint of certificate: 1. Open the certificate that was downloaded earlier. 2. Go to Details and in the field column select Thumbprint. 3. Copy the Thumbprint that opens in the pane by pressing CTRL+C (Right-Click wont work!). 4. Paste the Thumbprint in the Certificate Fingerprint. Make sure that there are no spaces in between the Certificate Fingerprint. Remove them manually.
Login Attribute	NameID
Identifier Format	Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from the dropdown list.
Authentication Context	Select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport from the dropdown list.
Message Signing	Select the algorithm to use for signing Request messages sent to the IdP. For now select Not Signed.
Just In Time Provisioning	If checked then it automatically create a user account in your Canvas LMS if its the first time a user logs in with single sign-on (SSO).



• Click Save to complete the configuration.

Step 2: Configure WordPress as the Identity Provider:

• You would need Entity ID , Acs URL from Canvas LMS .
• You can find this information under Current Provider in Authentication section under Admin tab.
• Click on the Link to find Metadata file containing all the information of your Service Provider (Canvas LMS).




 Instructions:

• Open the WordPress site.
• Go to the WordPress IDP plugin, navigate to the Service Provider tab.
• Enter the values corresponding to the information from Canvas LMS. Refer to the table below.
  
  

  Service Provider Name	Name of your Service Provider.
  SP Entity ID or Issuer	Copy and paste the SP-EntityID from Canvas LMS.
  ACS URL	Copy and paste the ACS URL from Canvas LMS.
  NameID Format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  Assertion Signed	Checked


• Click on the Save button to save your configuration.

Step 3: Configure attributes in the plugin (This is a premium feature):

In WordPress:

• In the WordPress IDP plugin,navigate to the Attribute/Role Mapping tab.
• In the User Attributes section, enter the following information and click Save .
• Click on + sign to add attributes.

Name	User Meta Data
FirstName	first_name
LastName	last_name
NickName	nickname




In Canvas LMS:

• Navigate to Current Provider in Authentication section under the Admin tab. You will find
  Federated Attributes.
• Make sure to add the following information under Federated Attributes .
• Select the Attribute Name from the dropdown list and click on +Attribute
• If an attribute is marked as Provisioning Only, then it will only be used when Just In Time Provisioning creates a new user, and will not be kept up to date each time the user logs in.

Step 4: Testing SSO :

• You can find the Login link information under the Current Provider in the Authentication section, under the
  Admin tab.


• Construct the login url,
  eg: https://your_domain.com/login/saml/103
Construct the login url,
eg: https://your_domain.com/login/saml/103 https://your_domain.com/login/saml/103
• You would be redirected to the WordPress Login screen. Enter the Credentials and click Log in.

If you were able to log into Canvas LMS, then your configuration is correct.