It’s not every day that a high-grade application suite pushes out an update that could potentially break part of certain existing systems that are already in place. Such has been the case with the popular software suite provided by Instructure: the Canvas LMS. Instructure will be pushing out an update on Saturday, June 4th, 2016 that will change the metadata/ACS URL for SAML SSO. If organizations do not make the required changes, they will be welcomed with an error screen whenever SSO to Canvas is attempted.
So, what is ‘Canvas LMS’ and ‘SAML’?
Canvas is a self-proclaimed, open Learning Management System (LMS) popular in various fields of education, beginning with K-12. On par with the likes of Elucian’s Blackboard, the Instructure’s Canvas LMSsees more consistent and dedicated use in both secondary and higher education especially, and boasts an application series targeting students, administrators and instructors alike.
We’ve written about the benefits of SAML before, and with the wide array of applications provide throughout the Canvas LMS, SAML and Shibboleth are two of the most popular methods of instituting Single Sign-on. Both SSO protocols are supported within the Canvas LMS and go a long way towards providing students, instructors, and administrators with simple, secure access without the hassles of password-related issues.
The Current Situation
Instructure has sent out an e-mail announcement, notifying administrators of the impending SAML metadata change. This announcement specifies that if the metadata present in an organization’s Identity Provider (IdP) is not up to date, error messages will occur when users attempt to login to the Canvas LMS after June 4th, and they will be unable to login.
Special mention was made regarding how this change will affect Shibboleth and ADFS configurations to the Canvas LMS, as well as any institutions using InCommon. If you are using InCommon, Instructure will be making necessary updates and your users will not experience a disruption. If your institution uses Shibboleth or ADFS configurations for the Canvas LMS, Instructure has recommended beginning the update process by going through the following documentation:
Shibboleth – https://community.canvaslms.com/docs/DOC-4093
What does this mean?
What this means for your organization is that you need to make necessary changes within your IdP over the course of the next week if you have not done so already. Failure to do so will result in increased error messages for your users, which will no doubt result in a large increase of incoming Help Desk calls to your local IT department. The documentation provided by Instructure is fairly in-depth and should provide you with everything that you need to know in order to keep access to the Canvas LMS running smoothly throughout this transition.
If you are using the PortalGuard IdP to provide SAML Single Sign-on to the Canvas LMS, you fall under yet another category in terms of preparing for this update. In order to keep access to the Canvas LMS running smoothly throughout your institution, you will need to update the SAML URL value pointing to the Canvas Assertion Consumer Service (ACS) from the PortalGuard Relying Party.
- Your current URL – https://<school>.instructure.com/saml_consume
- The New URL – https://<school>.instructure.com/login/saml
The following steps will guide you through making the necessary changes:
Step 1: Open the PortalGuard Configuration Editor
Step 2: Select the Canvas Relying Party, click Edit
Step 3: In the ‘General’ tab, adjust the ‘Assertion Consumer URL’ field to reflect the New URL: https://<school>.instructure.com/login/saml
Step 4: Save these changes.
Step 5: Open an elevated cmd prompt and run the ‘iisreset’ command.
That will update the process and your users will experience no interruptions when the change takes full effect on Saturday, June 4th, 2016. If you have any additional questions regarding how to make this change in PortalGuard, feel free to Contact Us.