CANVAS SSO CONFIGURATION

Setting Up Single Sign-On (SSO) for Canvas Using OIDC and Azure Entra ID

Single Sign-On (SSO) enhances security and user convenience by allowing users to access multiple applications with a single login. It reduces password fatigue, minimises security risks from weak credentials, and streamlines authentication management for IT teams. By centralising access control, SSO improves compliance, boosts productivity, and lowers IT support costs related to password resets.

This guide provides a step-by-step process to configure Single Sign-On (SSO) for the Canvas application using OpenID Connect (OIDC) with Azure Entra ID.

Prerequisites

  • An active Azure Entra (Azure AD) tenant.

  • Admin access to Azure Entra to register applications.

  • Access to the Canvas application to configure authentication settings.

  • Access to a 3rd party identity e.g. PingIdentity, Auth0 or Okta (another provider

Step 1: Register an Application in Azure Entra

  1. Sign in to Azure Portal:

    • Go to Azure Portal.

    • Navigate to Azure Entra ID.

  2. Register a new application:

    • Click on App registrations > New registration.

    • Enter a name (e.g., Canvas OIDC SSO).

    • Choose Accounts in this organisational directory only (or another option if required).

    • Under Redirect URI, select Web and enter the Canvas redirect URL depending on your region:

Canvas is currently available in the UK, Europe and Australia: Please contact our Information Services & Security team via your internal contact to receive the details for your region

    • Click Register.

    • Save the Application (Client) ID and Directory (Tenant) ID.

Step 2: Configure Authentication

  1. Go to Authentication settings:

    • In the registered app, navigate to Authentication.

    • **Optional Ensure that Access tokens and ID tokens are selected under Implicit grant and hybrid flows.

    • Click Save.

Step 3: Configure API Permissions

  1. Navigate to API permissions:

    • Click API permissions > Add a permission.

    • Select Microsoft Graph.

    • Choose Delegated permissions and add:

      • openid

      • profile

      • email

    • Click Add permissions.

  2. Grant admin consent:

    • Click Grant admin consent for [Your Organisation].

    • Confirm the changes.

Step 4: Configure Client Secret

  1. Navigate to Certificates & secrets:

    • Click New client secret.

    • Provide a description (e.g., Canvas Secret).

    • Set expiration (choose an appropriate duration).

    • Click Add.

  2. Save the generated Client Secret value securely.

Step 5: Client to provide to us return information as point 2 below

  1. Access Canvas SSO settings:

    • Log in to the Canvas admin panel.

    • Navigate to Authentication settings.

  2. Enter OIDC provider details:

    • Issuer URL: https://login.microsoftonline.com/{TENANT_ID}/v2.0.(must match)

    • Client ID: Use the Application (Client) ID from Azure.

    • Client Secret: Enter the secret from Step 4.

Step 6: Test the SSO Configuration

  1. Open an incognito/private browser window.

  2. Navigate to the Canvas login page

  3. Click on Sign in with Microsoft or the third-party provider.

  4. Authenticate using an account from the configured provider.

  5. Ensure successful login and redirection to Canvas.

Configure SSO with Third-Party Identity

Canvas has been successfully tested to work with 3rd party Access Identity Platforms; PingIdentity, Auth0, and Okta. We are able to support other providers, please contact our Information Services & Security team via your internal contact to discuss it further.

This guide was updated on Friday 28th February 2025