nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Child Item

Canvas Auth Provider Migration

Changing your Identity Provider (IdP) requires updating your Canvas authentication provider. Follow these steps and considerations to ensure a seamless migration.

Determine Migration Path

Are you changing authentication protocols?
- No: Skip to Option 1.
- Yes: Continue to next question.
Is your institution associating an authentication_provider_id in user imports for the authentication method being replaced?
- How to check if authentication_provider_id is populated:
  - Check Protocol Requirements: The field is optional for SAML, LDAP, and CAS. It is mandatory for OpenID Connect (OIDC) and Social Logins (e.g., Google, Microsoft, Clever).
  - Examine SIS Imports: Check your users.csv or logins.csv SIS import files for the presence of the authentication_provider_id column.
  - Run a Provisioning Report: Run the Canvas Provisioning Report (Users, Logins) and check the exported files for the authentication_provider_id.
- How to check if authentication_provider_id will be needed for the new method: Use the same protocol requirements from the check above: optional for SAML, LDAP, CAS; mandatory for OIDC and Social Logins.
Use your answer from Question 2 to determine the best migration path: Option 2 or Option 3.

Option 1: Update Existing Config (No Protocol Change)

About this option

Use this option only if you are NOT changing authentication protocols (e.g., SAML -> SAML).

Note: This is the least effort option, but requires a hard cut-over to the new SSO configuration, increasing risk.

Instructions

Get new SSO configuration values from your Identity Provider ( IdP).
In Canvas Beta (or Production, if Beta isn't possible):
- Find the Authentication Provider you wish to update.
- Save the old configuration in a separate file for easy reversion.
  1. Tip: Keep the old and new configuration tabs open to easily revert by clicking save on the old tab.
- Enter the new SSO configuration values into the existing Canvas Authentication Provider configuration.
Ensure the “Login Attribute” is correctly mapped to the existing user’s login_id in Canvas.
- Tip: Use the built-in Debugger tooling to check SSO values. Debugger only works on saved configs, so avoid using it in Production unless you are confident in your setup.
Save the new SSO Configuration.
Validate SSO by logging in with a browser that does not have an existing Canvas session.
- Tip: Existing user sessions are not invalidated. They can continue using Canvas. Only new logins will fail if misconfigured.
Revert to the old configuration if necessary.

Option 2: Change Protocols (No authentication_provider_id Associated)

About this option

Use this option if ALL statements are true:

Both the existing and new SSO protocols are CAS, LDAP, or SAML.
Existing logins are NOT explicitly associated with an authentication_provider_id matching the login method you are replacing.

Note: This allows testing the old and new configurations side-by-side in Production without updating user data.

Instructions

Get new SSO configuration values from your IdP.
In Canvas Beta (or Production, if Beta isn't possible):
- Create a new Authentication Provider with the desired protocol.
- Enter the new SSO configuration values.
- Ensure the “Login Attribute” is correctly mapped to the existing user’s login_id in Canvas.
  - Tip: Use the built-in Debugger tooling to check SSO values. Debugger only works on saved configs, so avoid using it in Production unless you are confident in your setup.
- Save the new SSO Configuration.
- Validate SSO by logging in with a browser that does not have an existing Canvas session.
  - Tip: Existing user sessions are not invalidated. New users will fail to log in if misconfigured.
  - Tip: Users should be able to log in using either the old or new SSO method if their login_ids are populated.
Phase out the old SSO method after validating the new configuration in Production (non-exhaustive list):
- Re-order the provider IDs to make the new configuration the default.
- Update direct login links on school websites or discovery pages.
- Remove the legacy SSO method app in your IdP and enable the new one.
  - Tip: This affects users utilizing the IdP application dashboard (e.g., Clever, ClassLink).
Once all users are on the new method and you no longer need a fallback, delete the old SSO method.

Option 3: Change Protocols (authentication_provider_id Associated)

About this option

Use this option if ANY statement is true:

Either the existing or new SSO protocol is OpenID Connect or a Social Login (e.g., Google, Microsoft, Clever).
Existing logins are explicitly associated with an authentication_provider_id matching the login method you are replacing.

Note: This allows testing the old and new configurations side-by-side in Production without needing to update users immediately.

Instructions

Get new SSO configuration values from your IdP.
In Canvas Beta (or Production, if Beta isn't possible):
- Create a new Authentication Provider with the desired protocol.
- Enter the new SSO configuration values.
- Ensure the “Login Attribute” is correctly mapped to the existing user’s login_id in Canvas.
  - Tip: Use the built-in Debugger tooling to check SSO values. Debugger only works on saved configs, so avoid using it in Production unless you are confident in your setup.
- Save the new SSO Configuration.
- Update user logins to be compatible with the new SSO method (ensure the correct authentication_provider_id is associated):
  - This must be done via SIS Imports or the API.
  - Tip: Export a Provisioning Report (Users & Logins) to identify users who need login updates.
  - Tip: To support parallel login methods, add additional logins to existing users via logins.csv.
  - Warning: SIS Imports process as a background job; if an incorrect file is imported, user access disruption will be variable.
  - Tip: Run a limited trial SIS Import before running the full file.
- Validate SSO by logging in with a new/updated user login in a browser that does not have an existing Canvas session.
  - Tip: Users with existing sessions can still access Canvas.
Phase out the old SSO method after validating the new configuration in Production (non-exhaustive list):
- Re-order the provider IDs to make the new configuration the default.
- Update direct login links on school websites or discovery pages.
- Remove the legacy SSO method app in your IdP and enable the new one.
  - Tip: This affects users utilizing the IdP application dashboard (e.g., Clever, ClassLink).
Once all users are on the new method and you no longer need a fallback, delete the old SSO method.

Help make the guides even better!

Have a suggestion, spot a typo, or notice something outdated? Sign in and let us know!

Child Item