Assistance Required with SAML Authentication Issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the third time trying to post this question. It gets marked as spam. This time I don't add as much log information, because it's probably this drawing the spam markers attention.
We are encountering an issue configuring Canvas as a service provider for an IdP. Despite successful authentication from the IdP, Canvas is not processing the SAML response correctly, leading to authentication failures.
Issue Description:
- Successful authentication response from the IdP, as indicated in the attached SAML trace logs.
- Canvas fails to process this response, resulting in authentication failure.
Here is the first relevant log from SAML-tracer which is the response from the IdP indicating success:
POST https://xxx/acs/post
urn:oasis:names:tc:SAML:2.0:status:Success
And here is the next request in the SAML trace saying authentication failed.
POST https://studiewebben.instructure.com/login/saml
Authentication failed. Error id
Here is from the debugging session inside of Canvas also indicating authentication failed
Testing state:
Mottog LoginResponse från IdP
AuthnRequest sent to IdP
Request ID:
_c3a87a1f-6455-4287-a48a-xxx
LoginRequest encoded URL:
https://xxx/SunetIDP/sso/redirect?SAMLRequest=xxx
LoginRequest XML sent to IdP:
Removed logs
AuthnResponse from IdP
IdP InResponseTo:
_c3a87a1f-6455-4287-a48a-df42b49c23e8
IdP LoginResponse destination:
https://xxx.instructure.com/login/saml
Validation error:
response is not successful
Removed logs
urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
Removed logs
Authentication failed. Error
Removed logs
User successfully logged into Canvas:
false
IdP LoginResponse encoded:
Pxxx
IdP LoginResponse encrypted:
Removed logs
Authentication failed. Error
Removed logs
IdP LoginResponse Decrypted:
Removed logs
Authentication failed. Error
Removed logs
Here is our SAML configuration from Canvas
SAML Configuration:
IdP Metadata URI: https://xxx/md/swamid-idp.xml
IdP Entity ID: https://xxx/yyy
Log on URL: https://xxxx/yyyIDP/sso/redirect
Log out URL: (Not specified in the provided data)
Certificate Fingerprint: Removed logs
Strip Domain From Login Attribute Value: (Checkbox present, but state not specified in the provided data)
Identifier Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Authentication Context: (No value selected)
Message Signing: (Not Signed - Default option selected)
Just-in-time Provisioning: Enabled (Checkbox checked)
Federated Attributes:
display_name: urn:oid:2.16.840.1.113730.3.1.241
surname: urn:oid:2.5.4.4
email: urn:oid:0.9.2342.19200300.100.1.3
sis_user_id: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
given_name: urn:oid:2.5.4.42
Could you please assist us in understanding why Canvas is failing to process a successful SAML response?
- Is there a specific attribute or configuration setting in Canvas that might be causing this issue?
- Can you help identify why Canvas is unable to successfully process the successful SAML response from the IdP?
- Are there known issues or additional settings in Canvas that we should check when integrating with an IdP? Maybe there's a general setting "approve external IdP:s" or something?
Your insights on this matter would be greatly appreciated. Thank you for your assistance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for you reply. The problem was actually with the IdP, even though it looked like all was well on that side. Thanks again.