Canvas LMS SSO with MojoAuth
Connect your Canvas LMS instance (Instructure) to MojoAuth using SAML 2.0. MojoAuth acts as the Identity Provider (IdP); Canvas acts as the Service Provider (SP). Once configured, users can sign in to Canvas with SP-initiated login (from the Canvas login page) or IdP-initiated login (from your MojoAuth-hosted login page or an app launcher).
How it works
Prerequisites
- A MojoAuth project (test or live) with admin access to Developers → Applications.
- Admin access to your Canvas account (root account admin, not just a sub-account or course admin — authentication configuration lives at the account level).
- Canvas SSO (SAML) is available on Canvas instances with SSO enabled by Instructure for your account; if you don't see Authentication under Admin settings, ask your Instructure CSM to enable it for your account.
- Decide up front which Canvas identifier will match the identity MojoAuth sends — Canvas matches incoming SAML assertions to a pseudonym (login) already provisioned in Canvas, typically by email or SIS ID. Canvas does not fully JIT-provision users from a bare SAML assertion, so the matching users must already exist (created manually, via SIS import, or via another provisioning flow) before you test SSO.
Canvas allows multiple authentication providers on one account and lets you keep Canvas-native login available alongside SAML. Don't delete or fully disable local/Canvas login until you've confirmed at least one admin account can sign in via MojoAuth — otherwise you risk locking yourself out.
Step 1 — Create the MojoAuth SAML connection
- In the MojoAuth dashboard, go to Developers → Applications → New Application → SAML 2.0 SSO.
- Enter a connection name (e.g.
Canvas LMS – Production) and click Create connection. This creates a draft connection and auto-issues a signing certificate. - Leave this tab open — you'll come back to copy the IdP metadata URL and, later, paste Canvas's SP details.
See SAML SSO Connections for the full concept walkthrough.
Step 2 — Configure Canvas
Open Authentication settings
Log in to Canvas as a root account admin, go to Admin, select your account, then click Authentication in the left navigation (some instances show this as Authentication Providers under account settings).
Add a SAML provider
Click Add Authentication Provider, choose SAML from the dropdown, and Canvas opens a new SAML configuration form.
Fill in the IdP fields Canvas asks for
| Canvas field | Value |
|---|---|
| IdP Entity ID | {BASE}/saml/{projectId}/sps/{spId}/metadata |
| Log On URL | {BASE}/saml/{projectId}/sps/{spId}/sso |
| Log Out URL | {BASE}/saml/{projectId}/sps/{spId}/slo |
| Certificate Fingerprint (or Certificate) | The SHA-1/SHA-256 fingerprint of MojoAuth's signing cert, or paste the full PEM using Copy PEM on the MojoAuth connection page |
| Identifier Format | emailAddress (or Unspecified if you're matching on SIS ID instead of email) |
| Login Attribute | The attribute Canvas reads to look up the user — typically NameID (mapped to email) |
If your Canvas instance's SAML form offers Load metadata from URL instead of individual fields, paste the IdP metadata URL directly:
{BASE}/saml/{projectId}/sps/{spId}/metadataCanvas fetches the metadata and pre-fills the entity ID, SSO URL, and certificate automatically — you'll still need to set Login Attribute and Identifier Format yourself.
Set the position (if you'll have more than one provider)
If Canvas login (or another IdP) is also configured, use the Position setting on the provider to
control which one users land on by default at /login/canvas vs /login/saml. Leave Canvas login
enabled during setup so you always have a fallback.
Save
Click Update Authentication (or Save) to persist the provider. Canvas assigns it an internal ID, visible in the URL of the provider's edit page — you'll need this ID for the ACS URL in the next step.
Step 3 — Give Canvas's SP details back to MojoAuth
Canvas generates its SP Entity ID and ACS URL from your institution's Canvas domain and the SAML provider's internal ID:
| Canvas SP field | Typical value |
|---|---|
| SP Entity ID | https://<school>.instructure.com/saml2 |
| ACS URL | https://<school>.instructure.com/login/saml/<id> |
Back on the MojoAuth SAML connection page:
- Choose Manual configuration (Canvas does not expose a public SP metadata endpoint you can
import from) and enter:
- SP Entity ID:
https://<school>.instructure.com/saml2 - ACS URL:
https://<school>.instructure.com/login/saml/<id>— use the numeric<id>from the authentication provider's edit page URL in Canvas (Step 2).
- SP Entity ID:
- Set NameID format to match what you chose as Canvas's Identifier Format —
emailAddressif Canvas will match on email, orunspecified/persistentif matching on a SIS-provided identifier. - Click Save.
Older Canvas instances (or those with multiple SAML providers configured over time) sometimes expose
the ACS URL as https://<school>.instructure.com/saml2 without the trailing /login/saml/<id> path.
Check the exact value shown on the authentication provider's edit page in Canvas rather than assuming
the format — Instructure has changed this path across Canvas versions.
Step 4 — Attribute / login attribute mapping
Canvas's SAML integration is deliberately minimal: it reads a single Login Attribute from the
assertion (usually the NameID) and matches it against an existing Canvas pseudonym (the
unique_id on a Canvas login). It does not consume a rich set of SAML attributes the way Workday or
Salesforce do.
| Canvas expects | MojoAuth saml_name | MojoAuth source | name_format |
|---|---|---|---|
Login Attribute (NameID, matched to unique_id) | — (subject/NameID) | email (or identifier if matching SIS ID) | — |
Optional: eduPersonPrincipalName | eduPersonPrincipalName | email or identifier | uri |
Configure on the MojoAuth connection's Attribute mappings section:
- If Canvas's Login Attribute is set to match email, set the connection's NameID format to
emailAddressand mapsource: emailso the subject itself carries the address Canvas looks up against each user'sunique_id. - If your Canvas logins use SIS IDs rather than email addresses as the
unique_id, mapsource: identifier(populated from your directory's SIS ID field) instead, and set NameID format tounspecified. - Canvas does not do full JIT user creation from SAML — the
unique_idin Canvas must already exist (created via the Canvas UI, SIS import/CSV, or the Canvas API) before a user can complete SSO login. Attribute mapping controls matching, not user creation.
Whatever value you map to the NameID/Login Attribute must exactly match an existing Canvas
pseudonym's unique_id — case and formatting differences (e.g. Jane.Doe@school.edu vs
jane.doe@school.edu) will cause a failed login even though the SAML assertion itself is valid.
Step 5 — Test
- From the MojoAuth connection page, use Test SSO to run an IdP-initiated login and confirm a valid signed assertion reaches Canvas's ACS URL.
- Trigger SP-initiated login directly at:
This routes to your configured SAML provider (or prompts you to choose one if multiple are active) and redirects to MojoAuth.
https://<school>.instructure.com/login/saml - Sign in with a test account whose
unique_id(email or SIS ID) matches an existing Canvas pseudonym. Success looks like: redirect back to Canvas, landing on the Canvas dashboard signed in as that user — no "user not found" or blank login screen. - Confirm logout: use Canvas's Logout and check that MojoAuth's SLO endpoint is invoked and the session ends cleanly on both sides.
Troubleshooting
"Certificate Fingerprint" mismatch / signature validation fails The fingerprint (or certificate) stored on the Canvas authentication provider doesn't match MojoAuth's current signing certificate. Re-copy the PEM or fingerprint from Copy PEM / Download .crt on the MojoAuth connection page (certificates rotate periodically) and update the Canvas provider, or re-run Load metadata from URL to refresh it automatically.
Login Attribute / unique_id mismatch ("no matching login found")
Canvas received a valid, signed assertion but couldn't find a Canvas pseudonym whose unique_id
matches the NameID/Login Attribute value it received. Confirm the connection's mapped source
(Step 4) sends exactly the identifier format Canvas expects (email vs SIS ID), including matching
case, and verify the target user already has a Canvas login with that exact unique_id.
"Redirect URI" / ACS URL mismatch
The ACS URL entered in MojoAuth doesn't exactly match the path Canvas generated for that specific
authentication provider (https://<school>.instructure.com/login/saml/<id>). Re-check the provider's
edit page in Canvas for the exact <id> and re-save it in MojoAuth's ACS URL field — this is a
common source of failures when multiple SAML providers exist on the same account.
User exists in Canvas but SSO still fails
Check that the user's login is on the correct pseudonym type — Canvas can have multiple logins per
user (e.g. one for SIS, one for Canvas-native), and SAML only matches against the one configured with
the Login Attribute you're sending. Look up the user in Admin → People, open their login details,
and confirm the unique_id there matches what MojoAuth sends.
Multiple authentication providers cause unexpected default login screen
If you've added SAML alongside Canvas login (or another IdP), the Position ordering on Canvas's
Authentication page determines what /login shows by default. Use /login/saml to target this
specific SAML provider directly, or reorder providers, rather than assuming SAML is the default.
Locked out of Canvas admin after enabling SAML
Canvas login typically remains available at /login/canvas even with SAML configured, unless it was
explicitly removed. If you're locked out, ask another root account admin to disable or reorder the
SAML provider from Admin → Authentication, or contact Instructure support — do not delete your
last working authentication provider without a tested fallback.