How to Implement Single Sign-On with Canvas
What is SSO?
SSO - or single sign-on - is a method of allowing users to sign into different applications or websites using one set of credentials. With Canvas SSO, users can sign into an external app using their Canvas username and password. The app can then create an account for the user if this is their first time signing in or match the user with an existing account.
Canvas supports two different SSO methods that apps can use to sign in Canvas users into their platform: SSO through the Canvas API and SSO through the LTI® specification.
Why Would Your Application Implement Canvas SSO?
By implementing Canvas SSO, you allow admins at the schools you work with to manage accounts and passwords through Canvas rather than your platform. This means you don't have to build or manage a database containing sensitive passwords. Since tech admins are responsible for managing Canvas passwords, you won't receive as many support tickets from teachers and students who are having trouble figuring out how to sign in.
By building SSO solutions into your platform, you'll also be able to do further integrations like syncing courses and performing grade passback. These functions let your app act on behalf of authenticated users. Many schools that use Canvas are interested in vendors that can provide these functions as a way to better integrate third-party content into the LMS. In fact, LMS integration is commonly requested in RFPs that are sent out to edtech vendors.
Canvas SSO Through API Integration
The first way that Canvas facilitates SSO integration is through the Canvas API. With this style of integration, users can start on your website or mobile app and click a "Sign In With Canvas" button. Canvas will then prompt the user for their username and password (if they are not already logged into Canvas). Your app, itself, never sees the password the user entered.
After the user has signed into Canvas, they are redirected back to your website with a code that corresponds to their account. Using this code, your website or app can ask Canvas for more details about the user, such as their personal information, their course enrollments, or their homework assignments.
Note that Canvas requires users to log into the Canvas environment specific to their school. Your "Sign In with Canvas" button must direct the user to sign in at their school's custom Canvas domain.
For example, the Edlink platform lets Canvas admins connect their LMS to Edlink. Users logging in through Edlink can then select their school during the sign on flow and get automatically directed to the domain that hosts their school's Canvas environment, as shown below.
The user searches for their school in Edlink. This specific school uses Canvas.
The user is then directed to the domain that hosts their school's Canvas instance to sign in.
Doing an SSO integration through the Canvas API is also the first step to developing deeper integrations. Once a user is authenticated by Canvas, an app then has the ability to perform functions in Canvas on behalf of a user, like gathering a list of their courses or sending grades back to their gradebook in the LMS.
Canvas SSO Through LTI
Canvas supports LTI 1.3 and the LTI Advantage services. LTI apps are designed to be accessed within a course in the LMS. LTI apps must be configured by a teacher or administrator so that students in the course can access the app. Students and teachers can then launch into the application by selecting the tool from their course in Canvas. The process of launching the tool will let the app verify the user's identity and grant the user access.
Example: LTI configuration menu in Canvas.
Example: LTI app launching in Canvas.
Note that the sign in is always initiated from the LMS (i.e. students won't visit your website or mobile app to access the resource). After the LTI launch, the developer receives a set of URLs that can be used to perform further integrated functions, like grade syncing.
What are the challenges of SSO?
There are some issues that app developers may encounter when trying to integrate an SSO solution into their platform.
For example, many apps try to identify users who sign in through Canvas by their email address. Doing this can lead to unforeseen problems and leave users vulnerable.
We also see many developers try to assign a universal role to students, teachers, and administrators in their app based on their role in the LMS. Many LMSs, including Canvas, allows users to have multiple roles depending on the context.
Furthermore, LTI integration can cause several headaches if you're not prepared. There are several versions of LTI. Additionally each LMS handles LTI integrations differently, even if they support the same version. Just because you already wrote an LTI app for another LMS, like Moodle, doesn't always mean the app is going to work the same way in Canvas. You can also run into trouble if you are converting a mobile app into an LTI-accessible resource.
Read More on Canvas or SSO
Here are other articles we’ve written on Canvas or SSO to help you on your journey:
- Where to Start with Canvas Integration?
- The Challenges of Integrating with Canvas
- API vs. LTI for Canvas Integration
- What to Know About Single Sign-On for Education
- Single Sign-On in Edtech: 6 Reasons Why You Need To Give Schools Multiple Options for SSO
Learn More about Edlink
If you're looking for a partner who can help guide you through developing Canvas or SSO integrations (like these), then let’s introduce ourselves. We’re Edlink!