Instructure Canvas LMS

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) for Instructure Canvas LMS using SAML.

About Instructure Canvas LMS

The Instructure Canvas LMS an easy-to-use, cloud-based Learning Management System (LMS) that connects all the digital tools and resources teachers use into one simple place. Instructure Canvas LMS integrates seamlessly with hundreds of apps, empowering teachers and students with countless tools to make teaching and learning easier.

After integrating Instructure Canvas LMS with Oracle Identity Cloud Service:

• Users can access Instructure Canvas LMS using their Oracle Identity Cloud Service login credentials.
• Users can start Instructure Canvas LMS using the Oracle Identity Cloud Service My Apps console.
• Admins can assign and revoke user access to the Instructure Canvas LMS app using the Oracle Identity Cloud Service administration console.

What Do You Need?

• An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
• Ensure that the email ID of each user in Instructure Canvas LMS matches the primary email ID of the Oracle Identity Cloud Service account.

Configuring the Instructure Canvas LMS App in Oracle Identity Cloud Service

Use this section to register and activate the Instructure Canvas LMS app, and then assign users to the app.

Prerequisite Step

A domain name is required before you can register and activate the Instructure Canvas LMS app. You obtain that domain name from Instructure Canvas LMS.

The Instructure Canvas LMS domain name appears in the Instructure Canvas LMS home URL: https://<Domain_Name>.instructure.com/login/canvas.

Registering and Activating the Instructure Canvas LMS App

1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

2. Click App Catalog.

3. Search for Instructure Canvas LMS, click Add, and then click Next.

4. In the App Details section, enter your Instructure Canvas LMS Domain Name, and then click Next.

   Note: This is the domain name that you obtained in the "Prerequisite Step" section.

5. Click Download Signing Certificate. Instructure Canvas LMS requires SHA-1 fingerprints of the signing certificate. However, certificate downloaded from IDCS does not have fingerprints.

6. Use Linux/Unix fold -w 64 -s Certificate_filename.pem > Folded-Cert_filename.pem command to insert line break after column 64.

7. Use Linux/Unix openssl command: openssl x509 -noout -fingerprint -sha1 -inform pem -in Folded-Cert_filename.pem command to generate SHA-1 fingerprints.

   Tip: Copy the fingerprint and save it in any .txt file. Use this file later during the Instructure Canvas LMS configuration in the "Configuring SSO for Instructure Canvas LMS" section.

8. Click Download Identity Provider Metadata.

   Tip: Use this file later during the Instructure Canvas LMS configuration in the "Configuring SSO for Instructure Canvas LMS" section.

9. Click Finish. Oracle Identity Cloud Service displays a confirmation message.

10. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Assigning Users to the Instructure Canvas LMS App

1. On the Instructure Canvas LMS app page in Oracle Identity Cloud Service, select Users, and then click Assign. The Assign Users window appears.

2. Select users that you need to assign to Instructure Canvas LMS, and then click OK. Oracle Identity Cloud Service displays a confirmation message stating that the Instructure Canvas LMS app is assigned to the users that you selected.

Configuring SSO for Instructure Canvas LMS

1. Access Instructure Canvas LMS as an administrator using the URL: https://<Domain_Name>.instructure.com/login/canvas. The Instructure Canvas LMS home page appears.

2. Click Admin, select the domain name, and then click Authentication.

3. In Add an identity provider to this account: field, select SAML from the drop-down list.

4. In the Current Provider section, use the table to update attributes, and then click Save.

   This table lists the mandatory federated authentication attributes that you must set to complete the SSO configuration.

   Attribute	Settings
   IdP Entity ID	Enter the Entity ID/Issuer URL. Use the metadata file that you downloaded earlier to obtain the Entity ID/Issuer URL. See the "Registering and Activating the Instructure Canvas LMS" section.
   Log on URL	Enter the Log on URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/sso.
   Log out URL	Enter the Log out URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/slo.
   Certificate Fingerprint	Copy the fingerprint contents from the .txt file that you created while performing the steps in the "Registering and Activating the Instructure Canvas LMS App" section, and then paste into the Certificate Fingerprint box.
   Position	Select 1 from the drop-down list. You may change the value for position field to change preference for respective authentication service.

Verifying the Integration

Use this section to verify that SSO/SLO works when initiated from Oracle Identity Cloud Service (IdP initiated SSO/SLO) or from Instructure Canvas LMS (SP initiated SSO/SLO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

1. Access the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

2. Log in using credentials for a user that is assigned to the Instructure Canvas LMS app. Oracle Identity Cloud Service displays a shortcut to Instructure Canvas LMS under My Apps.

3. Click Instructure Canvas LMS. The Instructure Canvas LMS home page appears.

4. Confirm that the user that is logged in is the same for both Instructure Canvas LMS and Oracle Identity Cloud Service.

   This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from Instructure Canvas LMS

1. Access Instructure Canvas LMS using the URL: https://<Domain_Name>.instructure.com/login.

2. Log in using credentials for a user that is assigned to the Instructure Canvas LMS app. The Instructure Canvas LMS home page appears.

3. Confirm that the user that is logged in is the same for both Instructure Canvas LMS and Oracle Identity Cloud Service.

   This confirms that SSO that is initiated from Instructure Canvas LMS works.

Verifying Single Log-Out (SLO) from Oracle Identity Cloud Service

1. Access Instructure Canvas LMS from the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

2. In the upper-right corner of Oracle Identity Cloud Service, click the user drop-down list, and then click Sign Out. The Oracle Identity Cloud Service My Profile console login page appears.

3. Confirm that the user is logged out of the Instructure Canvas LMS app.

   This confirms that SLO that is initiated from Oracle Identity Cloud Service works.

   Note: The user is logged out of both Oracle Identity Cloud Service and the Instructure Canvas LMS app when log out is initiated from Oracle Identity Cloud Service.

Verifying Single Log-Out (SLO) from Instructure Canvas LMS

1. Access Instructure Canvas LMS from the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole. The Instructure Canvas LMS home page appears.

2. Log-out from the Instructure Canvas LMS.

3. Confirm that the user is logged out of the Oracle Identity Cloud Service My Profile console login page.

   This confirms that SLO that is initiated from Instructure Canvas LMS works.

   Note: The user is logged out of both Oracle Identity Cloud Service and the Instructure Canvas LMS app when log out is initiated from Instructure Canvas LMS app.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

Instructure Canvas LMS displays the message, "Canvas doesn't have an account for user: < email ID >."

Cause: The email attribute sent by Oracle Identity Cloud Service during SSO doesn't match any existing user in Instructure Canvas LMS.

Solution: Ensure that the user that you assign to the Instructure Canvas LMS app has an account in both Oracle Identity Cloud Service and Instructure Canvas LMS with the same email address.

Oracle Identity Cloud Service displays the message, “You are not authorized to access the app. Contact your system administrator." or “There is a problem with your account. Please contact Support."

Cause: The SAML 2.0 integration between the Oracle Identity Cloud Service Instructure Canvas LMS app and Instructure Canvas LMS is deactivated.

Solution:

• Access the Oracle Identity Cloud Service administration console, select Applications, and then select Instructure Canvas LMS.
• In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Oracle Identity Cloud Service displays the message, “You are not authorized to access the app. Contact your system administrator."

Cause: The administrator revokes access for the user at the same time that the user tries to access the Instructure Canvas LMS app using Oracle Identity Cloud Service.

Solution:

• Access the Oracle Identity Cloud Service administration console, select Applications, and then select Instructure Canvas LMS.
• In the App Details section, select Users, and then click Assign to re-assign the user.

Unknown Issues

For unknown issues, contact Oracle Support:

1. Go to https://support.oracle.com.

2. Select Cloud Support, and then sign in with your support credentials.

3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

4. Select Oracle Identity Cloud Service as the service type.

5. Complete your service request.