Discovery Page Login Errors

Jump to solution
bliszewski
Community Explorer

Greetings,

Since we support different authentication mechanisms for Canvas, we use a Discovery URL pointing to a page on our university's site to help people navigate to the appropriate place to login. Linking to the different login URLs is simple enough, but one of the things that was missed in our initial implementation was login error handling. So now we're trying to add at least some indication if there was a problem and context to provide our support folks.

We know that on a login error, Canvas will redirect back to the discovery page with a `message` URL parameter containing a message the error.

We can even find some of these possible messages from the Canvas login controllers, e.g. https://github.com/instructure/canvas-lms/blob/master/app/controllers/login/saml_controller.rb

However, our developers are, rightly, concerned about just writing any URL parameter message to the official LMS login page for fear that it could be abused to post official looking messages or direct people to malicious URLs.

While they are considering their own solutions, I just wanted to ask how others are handling the login errors that return to Discovery URL, to ensure it is an actual message returned from Canvas?

0 Likes
1 Solution

Yep, that's pretty much what I was doing:  putting a static Discovery Page URL into the URL field for a SAML IdP Discovery Service auth provider.  If I used the Canvas login link for that SAML IdP Discovery auth provider, it just took me to that static Discovery Page.  

It is just a static HTML page, with links to the specific Canvas auth provider URLs, so if Canvas is passing along extra information when it opens the discovery page, that pretty much just gets ignored.  From the discovery page, click the appropriate link for the auth provider that you want, and it takes you to the Canvas auth provider URL, which directs you to that auth provider/SSO.  

If there's a problem with that login credentials at the auth provider/SSO stage, the SSO window stays open with the error from the SSO.  If they successfully login through the SSO, but there's no matching account in Canvas, it throws up the "Canvas doesn't have an account for user XXX" pop up, and gives them the link to try again.

Beyond that, I don't really have any problem situations to try, since we're not doing auto-provisioning, but doing it this way pretty much just gives the user a list of Canvas auth provider links to try.

View solution in original post