Configuring Single Sign-On (SSO)

Last updated: November 4, 2025

Canvas supports Single Sign-On (SSO), enabling users to log in using external identity providers such as Google Workspace, Okta, and Microsoft Azure. Canvas's integration with SSO streamlines login processes, providing secure and seamless access for users across supported platforms. This article outlines the configuration process, frequently asked questions, and detailed step-by-step instructions for each provider.

Setup & Configuration

Okta SSO Configuration

Create an Okta App

  1. Open the Okta dashboard and go to Applications.

  2. Select Create App Integration and choose SAML 2.0.

    User-uploaded Image

  3. Enter a name to identify the application in the App name field (e.g. Canvas SSO)

  4. Change the app logo, if needed (optional)

    User-uploaded Image

  5. Complete SAML Settings fields

    • Single Sign-On URL: https://<organization>.canvasmedical.com/saml2/acs/

    • Audience URI (SP Entity ID): https://<organization>.canvasmedical.com/saml2/metadata/

    • Name ID Format: EmailAddress

    • Application username: Okta username

    • Update application username on: Create and update

      User-uploaded Image

  1. Add an attribute statement

    • Name: mail

    • Name Format: Unspecified

    • Value: user.email

      User-uploaded Image

Create Okta SSO Users

  1. Navigate to the Assignments tab

  2. Assign any people/groups you want to use this app

    User-uploaded Image

Create Okta Link for Canvas

  1. From the Sign On tab, click the Identity Provider Metadata link located below the View Setup Instructions button

  2. In Canvas, configure the SERVICE_PROVIDER_CONFIG field with the copied URL.

  3. Copy the URL from the page - it will be needed later in the Canvas set up.

  4. Follow steps under SSO Configuration in Canvas to complete Canvas configuration

    2025-11-03_16-30-15.png

Canvas Configuration for Okta SSO

  1. Login to the Canvas instance

  2. Navigate to Settings under the triple line menu and select Constance: Config

  3. Locate the SSO Configuration section and complete the fields

    • SERVICE_PROVIDER_CONFIG: Enter a dictionary like the example below. Replace <your url> with the URL you copied from Okta.

      {
    "service": {
        "sp": {
            "allow_unsolicited": true
        }
    },
    "metadata": {"remote": [{"url": "<your url>"}]}
}

    • SSO_PRIVATE_KEY: Leave blank. Not needed for Okta SSO

    • SSO_PUBLIC_CERT: Leave blank. Not needed for Okta SSO

    • IDP_METADATA_XML: Leave blank. Not needed for Okta SSO

    • SSO_LOGIN_ENABLED: Ensure the SSO_LOGIN_ENABLED box is checked in order to display the new login button on the log in screen

    • SSO_IDP_INFO: Enter the following dictionary to configure the SSO login button. You can customize it as needed, including removing the icon or replacing it with a logo.

      {
  "name": "Okta",
  "icon": { "name": "circle outline", "style": {"color": "blue" }}
}

  4. Click Save once fields are complete

Log In to Canvas Using Okta SSO

  1. Navigate to the Canvas log in page. You will need to logout of Canvas if you are currently signed in

  2. Click the Log in with Okta button

  3. Ensure you are redirected to Canvas after logging in

2025-11-03_17-01-23.png

Microsoft Azure SSO Configuration

Microsoft Azure SSO Configuration

Create MS Azure Active Directory App

  1. Open Azure dashboard

  2. Select Azure Active Directory located in the left menu

  3. Select Add

  4. Select Enterprise Application from the dropdown

    image.png

  5. Select Create your own application in the next screen to open the form

  6. Enter a name for your application

  7. Select Integration any other application you don't find in the gallery

  8. Select Create to be redirected to your application overview page

    image.png

  9. Select Single sign-on from the menu on the left hand side

  10. Select SAML to open the Set up Single Sign-on with SAML modal

    2025-11-03_15-16-56.png

  11. Locate the Basic SAML Configuration section

  12. Select Edit

    2025-11-03_15-17-11.png

  13. Enter your Canvas URL followed by /saml2/metadata/ in the Entity ID field

  14. Enter your Canvas URL followed by /saml2/acs/ in the Reply URL field

  15. Enter your Canvas URL followed by /saml2/login/ in the "Sign on URL" field

  16. Select Save to save changes made to the “Basic SAML Configuration” section

    2025-11-03_15-17-20.png

  17. Locate the Attributes & Claims section

  18. Select Edit

  19. Select Add new claim and complete the fields

    • Name: mail

    • Source: Attribute

    • Source attribute: user.mail

  20. Select Save to save changes made to the Attributes & Claims section

  21. Click the X button to exit the screen

    2025-11-03_15-17-33.png

Create MS Azure Users

  1. Begin process after having completed the steps described above

  2. Locate the left menu

  3. Select Users and groups

  4. Select Add user/group

    2025-11-03_15-17-45.png

  5. Click on Users or role sections to add users

  6. Select Assign

  7. Locate the left menu

  8. Navigate to the Single sign-on view

  9. Click the Copy button next to the App Federation Metadata URL to copy the URL

Canvas Configuration for Microsoft Azure SAML App

  1. Login to the Canvas instance

  2. Navigate to Settings under the triple line menu and select Constance: Config

  3. Locate the SSO Configuration section and complete the fields

    • SERVICE_PROVIDER_CONFIG: Enter a dictionary like the example below. Replace <your url> with the URL you copied from MS Azure

      {
    "service": {
        "sp": {
            "allow_unsolicited": true,
            "want_response_signed": false
        }
    },
    "metadata": {"remote": [{"url": "<your url>"}]}
}

    • SSO_PRIVATE_KEY: Leave blank. Not needed for Azure SSO

    • SSO_PUBLIC_CERT: Leave blank. Not needed for Azure SSO

    • IDP_METADATA_XML: Leave blank. Not needed for Azure SSO

    • SSO_LOGIN_ENABLED: Ensure the SSO_LOGIN_ENABLED box is checked in order to display the new login button on the log in screen

    • SSO_IDP_INFO: Enter the following dictionary to configure the SSO login button. You can customize it as needed, including removing the icon or replacing it with a logo.

      {
  "name": "MS Azure",
  "icon": { "name": "microsoft", "style": {"color": "blue" }}
}

  4. Select Save once fields are complete

Log In to Canvas using MS Azure SSO

  1. Navigate to the Canvas log in page. You will need to logout of Canvas if you are currently signed in

  2. Click the Log in with Okta button

  3. Ensure you are redirected to Canvas after logging in

2025-11-03_15-18-33.png

Google Workspace SSO Configuration

Create App for Google

  1. Log in to your Google Admin account

  2. Navigate to Web and mobile apps under the Apps menu

  3. Click Add app menu

  4. Select Add custom SAML app from the dropdown

    image.png

  5. Add the App Name and click Continue

    image.png

  6. Click Download Metadata under Option 1: Download IdP metadata. This will be used later when configuring in Canvas.

    image.png

  7. Complete the Service provider details on the next page

  8. Click Continue

    image.png

  9. Under Attributes, click Add mapping and complete the fields

    • Basic information: Primary email

    • App attributes: mail

    image.png

Create Google SSO Users

  1. Navigate to User Access

    image.png

  2. Set service status to ON for everyone or enable for a specific group

    image.png

Canvas Configuration for Google Workspace SAML App

  1. Login to the Canvas instance

  2. Navigate to Settings under the triple line menu and select Constance: Config

  3. Locate the SSO Configuration section and complete the fields

    • SERVICE_PROVIDER_CONFIG: Use the dictionary below into the field

      {
  "service": {
    "sp": {
      "want_assertions_signed": false,
      "allow_unsolicited": true
    }
  }
}

      SSO_PRIVATE_KEY: Leave blank. Not needed for Google Workspace SSO

    • SSO_PUBLIC_CERT: Leave blank. Not needed for Google Workspace SSO

    • IDP_METADATA_XML: You’ll need to base64 encode the previously downloaded metadata file. There are two ways to accomplish this:

      1. If you prefer to work with terminal, you can run the following command and copy the output: base64 GoogleIDPMetadata.xml

      2. You can also upload your metadata file here: https://base64.guru/converter/encode/file, click Encode file to Base64 and copy the output from section Base64. Once you have your metadata encoded and copied you can paste it in IDP_METADATA_XML field

    • SSO_LOGIN_ENABLED: Check this box to activate the SSO login button.

    • SSO_IDP_INFO: Enter the following dictionary to configure the SSO login button. You can customize it as needed, including removing the icon or replacing it with a logo.

      {
  "name": "Google",
  "icon": { "name": "google", "style": {"color": "red" }}
}

  4. Click Save once fields are complete

Log In to Canvas using Google Workspace SSO

  1. Navigate to the Canvas log in page. You will need to logout of Canvas if you are currently signed in

  2. Click the Log in with Google button

  3. Ensure you are redirected to Canvas after logging in

image.png

JumpCloud SSO Configuration

Create JumpCloud App

  1. Log in to the JumpCloud admin account

  2. Navigate to SSO under the User Authentication menu

  3. Click on the blue add button and select Custom SAML App option

    image.png

  4. Add a display label to identify the application

  5. Click the SSO tab and complete the fields

    1. IdP Entity ID: Enter your Canvas instance URL followed by /saml2/metadata/.

      1. For example, if your instance URL is https://sso-setup.canvasmedical.com the Idp Entity ID should be https://sso-setup.canvasmedical.com/saml2/metadata/

    2. SP Entity ID: Same URL as the IdP Entity ID

    3. ACS URL: Should match the IdP and SD entity IDs but include the suffix acs at the end.suffix

      1. For example, https://sso-setup.canvasmedical.com/saml2/acs/

    4. SAMLSubject NameID: email

    5. SAMLSubject NameID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified

    6. Sign Assertion: Check the box

  6. Under User Attribute Mapping, click on Add attribute and complete the fields

    1. Service Provider Attribute Name: mail

    2. JumpCloud Attribute Name: email

Add JumpCloud SSO Users

  1. Open the User Groups tab

  2. Select any group of users you to include on the app

  3. Click activate on the bottom right corner.

  4. A new app will display on the app list

    image.png

  5. Open the new app

  6. Navigate to the SSO tab

  7. Click the Export Metadata button. This will be used during the configuration in Canvas

Canvas Configuration for JumpCloud SAML App

  1. Login to the Canvas instance

  2. Navigate to Settings under the triple line menu and select Constance: Config

  3. Locate the SSO Configuration section and complete the fields

    • SERVICE_PROVIDER_CONFIG: Use the dictionary below into the field

      {
  "service": {
    "sp": {
      "allow_unsolicited": true,
      "want_response_signed": false
    }
  }
}

    • SSO_PRIVATE_KEY: Leave blank. Not needed for JumpCloud SSO

    • SSO_PUBLIC_CERT: Leave blank. Not needed for JumpCloud SSO

    • DP_METADATA_XML: You’ll need to base64 encode the previously downloaded metadata file. There are two ways to accomplish this:

      • If you prefer to work with terminal, you can run the following command and copy the output: base64 GoogleIDPMetadata.xml

      • You can also upload your metadata file here: https://base64.guru/converter/encode/file, click Encode file to Base64 and copy the output from section Base64. Once you have your metadata encoded and copied you can paste it in IDP_METADATA_XML field

    • SSO_LOGIN_ENABLED: Check this box to activate the SSO login button.

    • SSO_IDP_INFO: Enter the following dictionary to configure the SSO login button. You can customize it as needed, including removing the icon or replacing it with a logo

      {
  "name": "JumpCloud",
  "icon": { "name": "cloud", "style": {"color": "black" }}
}

  4. Click Save once fields are complete

Log In to Canvas using Google Workspace SSO

  1. Navigate to the Canvas log in page. You will need to logout of Canvas if you are currently signed in

  2. Click the Log in with JumpCloud button

  3. Ensure you are redirected to Canvas after logging in

FAQs

Q: How does the SSO login connect to “staff” profiles?
A: The email address attached to the Canvas user must match the SSO email address.

Q: Will a user be automatically created when I configure SSO?
A: No. Users must be manually connected to Canvas, and the email used to create the user must be unique.

Q: Why is the user getting a No user could be authenticated error when trying to login to Canvas with SSO?

A: The user has multiple staff profiles in Canvas with the same email. Check the active and inactive staff profiles in Canvas. The emails cannot match whether inactive or inactive.

Keywords & Metadata

Keywords Single Sign-On (SSO), Canvas SSO, Okta SSO, Microsoft Azure SSO, Google Workspace SSO, Identity Provider, SSO setup guide, SAML authentication, Canvas login, external login service, secure authentication, enterprise login

Categories Authentication and Security, User Management, Software Integration, IT Administration, Canvas Platform Setup, Identity Provider Configurations, Enterprise Technology Solutions