Authentication Providers API

An AuthenticationProvider object looks like:

{
  // Valid for SAML providers.
  "identifier_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  // Valid for all providers.
  "auth_type": "saml",
  // Valid for all providers.
  "id": 1649,
  // Valid for SAML providers.
  "log_out_url": "http://example.com/saml1/slo",
  // Valid for SAML and CAS providers.
  "log_in_url": "http://example.com/saml1/sli",
  // Valid for SAML providers.
  "certificate_fingerprint": "111222",
  // Valid for SAML providers.
  "requested_authn_context": null,
  // Valid for LDAP providers.
  "auth_host": "127.0.0.1",
  // Valid for LDAP providers.
  "auth_filter": "filter1",
  // Valid for LDAP providers.
  "auth_over_tls": null,
  // Valid for LDAP and CAS providers.
  "auth_base": null,
  // Valid for LDAP providers.
  "auth_username": "username1",
  // Valid for LDAP providers.
  "auth_port": null,
  // Valid for all providers.
  "position": 1,
  // Valid for SAML providers.
  "idp_entity_id": "http://example.com/saml1",
  // Valid for SAML providers.
  "login_attribute": "nameid",
  // Valid for SAML providers.
  "sig_alg": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
  // Just In Time provisioning. Valid for all providers except Canvas (which has
  // the similar in concept self_registration setting).
  "jit_provisioning": null,
  "federated_attributes": null,
  // If multi-factor authentication is required when logging in with this
  // authentication provider. The account must not have MFA disabled.
  "mfa_required": null
}

A SSOSettings object looks like:

// Settings that are applicable across an account's authentication
// configuration, even if there are multiple individual providers
{
  // The label used for unique login identifiers.
  "login_handle_name": "Username",
  // The url to redirect users to for password resets. Leave blank for default
  // Canvas behavior
  "change_password_url": "https://example.com/reset_password",
  // If a discovery url is set, canvas will forward all users to that URL when
  // they need to be authenticated. That page will need to then help the user
  // figure out where they need to go to log in. If no discovery url is
  // configured, the first configuration will be used to attempt to authenticate
  // the user.
  "auth_discovery_url": "https://example.com/which_account",
  // If an unknown user url is set, Canvas will forward to that url when a service
  // authenticates a user, but that user does not exist in Canvas. The default
  // behavior is to present an error.
  "unknown_user_url": "https://example.com/register_for_canvas"
}

A FederatedAttributesConfig object looks like:

// A mapping of Canvas attribute names to attribute names that a provider may
// send, in order to update the value of these attributes when a user logs in.
// The values can be a FederatedAttributeConfig, or a raw string corresponding
// to the "attribute" property of a FederatedAttributeConfig. In responses, full
// FederatedAttributeConfig objects are returned if JIT provisioning is enabled,
// otherwise just the attribute names are returned.
{
  // A comma separated list of role names to grant to the user. Note that these
  // only apply at the root account level, and not sub-accounts. If the attribute
  // is not marked for provisioning only, the user will also be removed from any
  // other roles they currently hold that are not still specified by the IdP.
  "admin_roles": null,
  // The full display name of the user
  "display_name": null,
  // The user's e-mail address
  "email": null,
  // The first, or given, name of the user
  "given_name": null,
  // The secondary unique identifier for SIS purposes
  "integration_id": null,
  // The user's preferred locale/language
  "locale": null,
  // The full name of the user
  "name": null,
  // The unique SIS identifier
  "sis_user_id": null,
  // The full name of the user for sorting purposes
  "sortable_name": null,
  // The surname, or last name, of the user
  "surname": null,
  // The user's preferred time zone
  "timezone": null
}

A FederatedAttributeConfig object looks like:

// A single attribute name to be federated when a user logs in
{
  // The name of the attribute as it will be sent from the authentication provider
  "attribute": "mail",
  // If the attribute should be applied only when provisioning a new user, rather
  // than all logins
  "provisioning_only": false,
  // (only for email) If the email address is trusted and should be automatically
  // confirmed
  "autoconfirm": false
}

List authentication providers AuthenticationProvidersController#index

GET /api/v1/accounts/:account_id/authentication_providers

Scope: url:GET|/api/v1/accounts/:account_id/authentication_providers

Returns a paginated list of authentication providers

Example Request:

curl 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers' \
     -H 'Authorization: Bearer <token>'
Returns a list of AuthenticationProvider objects

Add authentication provider AuthenticationProvidersController#create

POST /api/v1/accounts/:account_id/authentication_providers

Scope: url:POST|/api/v1/accounts/:account_id/authentication_providers

Add external authentication provider(s) for the account. Services may be Apple, CAS, Facebook, GitHub, Google, LDAP, LinkedIn, Microsoft, OpenID Connect, SAML, or X.com.

Each authentication provider is specified as a set of parameters as described below. A provider specification must include an ‘auth_type’ parameter with a value of ‘apple’, ‘canvas’, ‘cas’, ‘clever’, ‘facebook’, ‘github’, ‘google’, ‘ldap’, ‘linkedin’, ‘microsoft’, ‘openid_connect’, ‘saml’, or ‘twitter’. The other recognized parameters depend on this auth_type; unrecognized parameters are discarded. Provider specifications not specifying a valid auth_type are ignored.

You can set the ‘position’ for any provider. The config in the 1st position is considered the default. You can set ‘jit_provisioning’ for any provider besides Canvas. You can set ‘mfa_required’ for any provider.

For Apple, the additional recognized parameters are:

  • client_id [Required]

    The developer’s client identifier, as provided by WWDR. Not available if configured globally for Canvas.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘sub’ (the default), or ‘email’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘email’, ‘firstName’, ‘lastName’, and ‘sub’.

For Canvas, the additional recognized parameter is:

  • self_registration

    ‘all’, ‘none’, or ‘observer’ - who is allowed to register as a new user

For CAS, the additional recognized parameters are:

  • auth_base

    The CAS server’s URL.

  • log_in_url [Optional]

    An alternate SSO URL for logging into CAS. You probably should not set this.

For Clever, the additional recognized parameters are:

  • client_id [Required]

    The Clever application’s Client ID. Not available if configured globally for Canvas.

  • client_secret [Required]

    The Clever application’s Client Secret. Not available if configured globally for Canvas.

  • district_id [Optional]

    A district’s Clever ID. Leave this blank to let Clever handle the details with its District Picker. This is required for Clever Instant Login to work in a multi-tenant environment.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘id’ (the default), ‘sis_id’, ‘email’, ‘student_number’, or ‘teacher_number’. Note that some fields may not be populated for all users at Clever.

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘id’, ‘sis_id’, ‘email’, ‘student_number’, and ‘teacher_number’.

For Facebook, the additional recognized parameters are:

  • app_id [Required]

    The Facebook App ID. Not available if configured globally for Canvas.

  • app_secret [Required]

    The Facebook App Secret. Not available if configured globally for Canvas.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘id’ (the default), or ‘email’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘email’, ‘first_name’, ‘id’, ‘last_name’, ‘locale’, and ‘name’.

For GitHub, the additional recognized parameters are:

  • domain [Optional]

    The domain of a GitHub Enterprise installation. I.e. github.mycompany.com. If not set, it will default to the public github.com.

  • client_id [Required]

    The GitHub application’s Client ID. Not available if configured globally for Canvas.

  • client_secret [Required]

    The GitHub application’s Client Secret. Not available if configured globally for Canvas.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘id’ (the default), or ‘login’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘email’, ‘id’, ‘login’, and ‘name’.

For Google, the additional recognized parameters are:

  • client_id [Required]

    The Google application’s Client ID. Not available if configured globally for Canvas.

  • client_secret [Required]

    The Google application’s Client Secret. Not available if configured globally for Canvas.

  • hosted_domain [Optional]

    A Google Apps domain to restrict logins to. See developers.google.com/identity/protocols/OpenIDConnect?hl=en#hd-param

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘sub’ (the default), or ‘email’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘email’, ‘family_name’, ‘given_name’, ‘locale’, ‘name’, and ‘sub’.

For LDAP, the additional recognized parameters are:

  • auth_host

    The LDAP server’s URL.

  • auth_port [Optional, Integer]

    The LDAP server’s TCP port. (default: 389)

  • auth_over_tls [Optional]

    Whether to use TLS. Can be ‘simple_tls’, or ‘start_tls’. For backwards compatibility, booleans are also accepted, with true meaning simple_tls. If not provided, it will default to start_tls.

  • auth_base [Optional]

    A default treebase parameter for searches performed against the LDAP server.

  • auth_filter

    LDAP search filter. Use {{login}} as a placeholder for the username supplied by the user. For example: “(sAMAccountName={{login}})”.

  • identifier_format [Optional]

    The LDAP attribute to use to look up the Canvas login. Omit to use the username supplied by the user.

  • auth_username

    Username

  • auth_password

    Password

For LinkedIn, the additional recognized parameters are:

  • client_id [Required]

    The LinkedIn application’s Client ID. Not available if configured globally for Canvas.

  • client_secret [Required]

    The LinkedIn application’s Client Secret. Not available if configured globally for Canvas.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘id’ (the default), or ‘emailAddress’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘emailAddress’, ‘firstName’, ‘id’, ‘formattedName’, and ‘lastName’.

For Microsoft, the additional recognized parameters are:

  • application_id [Required]

    The application’s ID.

  • application_secret [Required]

    The application’s Client Secret (Password)

  • tenant [Optional]

    See azure.microsoft.com/en-us/documentation/articles/active-directory-v2-protocols/ Valid values are ‘common’, ‘organizations’, ‘consumers’, or an Azure Active Directory Tenant (as either a UUID or domain, such as contoso.onmicrosoft.com). Defaults to ‘common’

  • login_attribute [Optional]

    See azure.microsoft.com/en-us/documentation/articles/active-directory-v2-tokens/#idtokens Valid values are ‘sub’, ‘email’, ‘oid’, or ‘preferred_username’. Note that email may not always be populated in the user’s profile at Microsoft. Oid will not be populated for personal Microsoft accounts. Defaults to ‘sub’

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘email’, ‘name’, ‘preferred_username’, ‘oid’, and ‘sub’.

For OpenID Connect, the additional recognized parameters are:

  • client_id [Required]

    The application’s Client ID.

  • client_secret [Required]

    The application’s Client Secret.

  • authorize_url [Required]

    The URL for getting starting the OAuth 2.0 web flow

  • token_url [Required]

    The URL for exchanging the OAuth 2.0 authorization code for an Access Token and ID Token

  • scope [Optional]

    Space separated additional scopes to request for the token. Note that you need not specify the ‘openid’ scope, or any scopes that can be automatically inferred by the rules defined at openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

  • end_session_endpoint [Optional]

    URL to send the end user to after logging out of Canvas. See openid.net/specs/openid-connect-session-1_0.html#RPLogout

  • userinfo_endpoint [Optional]

    URL to request additional claims from. If the initial ID Token received from the provider cannot be used to satisfy the login_attribute and all federated_attributes, this endpoint will be queried for additional information.

  • login_attribute [Optional]

    The attribute of the ID Token to look up the user’s login in Canvas. Defaults to ‘sub’.

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Any value is allowed for the provider attribute names, but standard claims are listed at openid.net/specs/openid-connect-core-1_0.html#StandardClaims

For SAML, the additional recognized parameters are:

  • metadata [Optional]

    An XML document to parse as SAML metadata, and automatically populate idp_entity_id, log_in_url, log_out_url, certificate_fingerprint, and identifier_format

  • metadata_uri [Optional]

    A URI to download the SAML metadata from, and automatically populate idp_entity_id, log_in_url, log_out_url, certificate_fingerprint, and identifier_format. This URI will also be saved, and the metadata periodically refreshed, automatically. If the metadata contains multiple entities, also supply idp_entity_id to distinguish which one you want (otherwise the only entity in the metadata will be inferred). If you provide the URI ‘urn:mace:incommon’ or ‘ukfederation.org.uk’, the InCommon or UK Access Management Federation metadata aggregate, respectively, will be used instead, and additional validation checks will happen (including validating that the metadata has been properly signed with the appropriate key).

  • idp_entity_id

    The SAML IdP’s entity ID

  • log_in_url

    The SAML service’s SSO target URL

  • log_out_url [Optional]

    The SAML service’s SLO target URL

  • certificate_fingerprint

    The SAML service’s certificate fingerprint.

  • identifier_format

    The SAML service’s identifier format. Must be one of:

    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    • urn:oasis:names:tc:SAML:2.0:nameid-format:entity

    • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

    • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

    • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

    • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • requested_authn_context [Optional]

    The SAML AuthnContext

  • sig_alg [Optional]

    If set, AuthnRequest, LogoutRequest, and LogoutResponse messages are signed with the corresponding algorithm. Supported algorithms are:

    RSA-SHA1 and RSA-SHA256 are acceptable aliases.

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Any value is allowed for the provider attribute names.

For X.com, the additional recognized parameters are:

  • consumer_key [Required]

    The X.com Consumer Key. Not available if configured globally for Canvas.

  • consumer_secret [Required]

    The X.com Consumer Secret. Not available if configured globally for Canvas.

  • login_attribute [Optional]

    The attribute to use to look up the user’s login in Canvas. Either ‘user_id’ (the default), or ‘screen_name’

  • parent_registration [Optional] - DEPRECATED 2017-11-03

    Accepts a boolean value, true designates the authentication service for use on parent registrations. Only one service can be selected at a time so if set to true all others will be set to false

  • federated_attributes [Optional]

    See FederatedAttributesConfig. Valid provider attributes are ‘name’, ‘screen_name’, ‘time_zone’, and ‘user_id’.

Example Request:

# Create LDAP config
curl 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers' \
     -F 'auth_type=ldap' \
     -F 'auth_host=ldap.mydomain.edu' \
     -F 'auth_filter=(sAMAccountName={{login}})' \
     -F 'auth_username=username' \
     -F 'auth_password=bestpasswordever' \
     -F 'position=1' \
     -H 'Authorization: Bearer <token>'

# Create SAML config
curl 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers' \
     -F 'auth_type=saml' \
     -F 'idp_entity_id=<idp_entity_id>' \
     -F 'log_in_url=<login_url>' \
     -F 'log_out_url=<logout_url>' \
     -F 'certificate_fingerprint=<fingerprint>' \
     -H 'Authorization: Bearer <token>'

# Create CAS config
curl 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers' \
     -F 'auth_type=cas' \
     -F 'auth_base=cas.mydomain.edu' \
     -F 'log_in_url=<login_url>' \
     -H 'Authorization: Bearer <token>'
Returns an AuthenticationProvider object

Update authentication provider AuthenticationProvidersController#update

PUT /api/v1/accounts/:account_id/authentication_providers/:id

Scope: url:PUT|/api/v1/accounts/:account_id/authentication_providers/:id

Update an authentication provider using the same options as the create endpoint. You can not update an existing provider to a new authentication type.

Example Request:

# update SAML config
curl -XPUT 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers/<id>' \
     -F 'idp_entity_id=<new_idp_entity_id>' \
     -F 'log_in_url=<new_url>' \
     -H 'Authorization: Bearer <token>'
Returns an AuthenticationProvider object

Get authentication provider AuthenticationProvidersController#show

GET /api/v1/accounts/:account_id/authentication_providers/:id

Scope: url:GET|/api/v1/accounts/:account_id/authentication_providers/:id

Get the specified authentication provider

Example Request:

curl 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers/<id>' \
     -H 'Authorization: Bearer <token>'
Returns an AuthenticationProvider object

Delete authentication provider AuthenticationProvidersController#destroy

DELETE /api/v1/accounts/:account_id/authentication_providers/:id

Scope: url:DELETE|/api/v1/accounts/:account_id/authentication_providers/:id

Delete the config

Example Request:

curl -XDELETE 'https://<canvas>/api/v1/accounts/<account_id>/authentication_providers/<id>' \
     -H 'Authorization: Bearer <token>'

show account auth settings AuthenticationProvidersController#show_sso_settings

GET /api/v1/accounts/:account_id/sso_settings

Scope: url:GET|/api/v1/accounts/:account_id/sso_settings

The way to get the current state of each account level setting that’s relevant to Single Sign On configuration

You can list the current state of each setting with “update_sso_settings”

Example Request:

curl -XGET 'https://<canvas>/api/v1/accounts/<account_id>/sso_settings' \
     -H 'Authorization: Bearer <token>'
Returns a SSOSettings object

update account auth settings AuthenticationProvidersController#update_sso_settings

PUT /api/v1/accounts/:account_id/sso_settings

Scope: url:PUT|/api/v1/accounts/:account_id/sso_settings

For various cases of mixed SSO configurations, you may need to set some configuration at the account level to handle the particulars of your setup.

This endpoint accepts a PUT request to set several possible account settings. All setting are optional on each request, any that are not provided at all are simply retained as is. Any that provide the key but a null-ish value (blank string, null, undefined) will be UN-set.

You can list the current state of each setting with “show_sso_settings”

Example Request:

curl -XPUT 'https://<canvas>/api/v1/accounts/<account_id>/sso_settings' \
     -F 'sso_settings[auth_discovery_url]=<new_url>' \
     -F 'sso_settings[change_password_url]=<new_url>' \
     -F 'sso_settings[login_handle_name]=<new_handle>' \
     -H 'Authorization: Bearer <token>'
Returns a SSOSettings object