Assistance Required with SAML Authentication Issue

Jump to solution
StefanNorinder
Community Explorer

This is the third time trying to post this question. It gets marked as spam. This time I don't add as much log information, because it's probably this drawing the spam markers attention. 

We are encountering an issue configuring Canvas as a service provider for an IdP. Despite successful authentication from the IdP, Canvas is not processing the SAML response correctly, leading to authentication failures. 

 

Issue Description:

- Successful authentication response from the IdP, as indicated in the attached SAML trace logs.

- Canvas fails to process this response, resulting in authentication failure.

 

Here is the first relevant log from SAML-tracer  which is the response from the IdP indicating success: 

POST https://xxx/acs/post

 

urn:oasis:names:tc:SAML:2.0:status:Success

 

And here is the next request in the SAML trace saying authentication failed. 

 

POST https://studiewebben.instructure.com/login/saml

Authentication failed. Error id

 

Here is from the debugging session inside of Canvas also indicating authentication failed

 

Testing state:

Mottog LoginResponse från IdP

AuthnRequest sent to IdP

Request ID:

_c3a87a1f-6455-4287-a48a-xxx

LoginRequest encoded URL:

https://xxx/SunetIDP/sso/redirect?SAMLRequest=xxx

LoginRequest XML sent to IdP:

Removed logs

AuthnResponse from IdP

IdP InResponseTo:

_c3a87a1f-6455-4287-a48a-df42b49c23e8

IdP LoginResponse destination:

https://xxx.instructure.com/login/saml

Validation error:

response is not successful

Removed logs

urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

Removed logs

Authentication failed. Error

Removed logs

User successfully logged into Canvas:

false

IdP LoginResponse encoded:

Pxxx

IdP LoginResponse encrypted:

Removed logs

   Authentication failed. Error

Removed logs

IdP LoginResponse Decrypted:

Removed logs

Authentication failed. Error

Removed logs

 

Here is our SAML configuration from Canvas 

 

SAML Configuration:

 

IdP Metadata URI: https://xxx/md/swamid-idp.xml

IdP Entity ID: https://xxx/yyy

Log on URL: https://xxxx/yyyIDP/sso/redirect

Log out URL: (Not specified in the provided data)

Certificate Fingerprint: Removed logs

Strip Domain From Login Attribute Value: (Checkbox present, but state not specified in the provided data)

Identifier Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Authentication Context: (No value selected)

Message Signing: (Not Signed - Default option selected)

Just-in-time Provisioning: Enabled (Checkbox checked)

 

Federated Attributes:

 

display_name: urn:oid:2.16.840.1.113730.3.1.241

surname: urn:oid:2.5.4.4

email: urn:oid:0.9.2342.19200300.100.1.3

sis_user_id: urn:oid:1.3.6.1.4.1.5923.1.1.1.6

given_name: urn:oid:2.5.4.42

 

Could you please assist us in understanding why Canvas is failing to process a successful SAML response? 

  • Is there a specific attribute or configuration setting in Canvas that might be causing this issue?
  • Can you help identify why Canvas is unable to successfully process the successful SAML response from the IdP? 
  • Are there known issues or additional settings in Canvas that we should check when integrating with an IdP? Maybe there's a general setting "approve external IdP:s" or something?

 Your insights on this matter would be greatly appreciated. Thank you for your assistance.

 

Labels (1)
0 Likes
1 Solution

Thanks for you reply. The problem was actually with the IdP, even though it looked like all was well on that side. Thanks again. 

View solution in original post

0 Likes