Configuring Kanopy for access

When setting up your institution's Kanopy website, we must ensure that access is allowed only to your approved users. Kanopy can use a variety of authentication methods to ensure that your Kanopy platform is secure.

Kanopy works with almost all methods of authentication that a library may employ. Most typically, this will include IP whitelisting for on-campus access and then another method for off-campus access, such as EZproxy, Shibboleth, WAM, or VPN.

It is important to note that, whatever authentication protocol you choose, authentication will always work on all links, whether they're shared on social media, embedded in your learning management system, or posted on LibGuides.

In fact, if you opt for authentication via proxy, it's important to know that we automatically proxy links that are unproxied for users outside of your IP range. This means that you should only use unproxied links when referring to Kanopy resources.

When you decide to launch with Kanopy, please be sure to include all of your technical system's information on the forms that you receive from us. Wherever possible, please consult your institution's IT team if necessary.

We will always test your authentication as part of the onboarding process. If you have any questions about authentication or secure access, please feel free to contact us.

Proxy/EZproxy set up

1. Provide your full onsite IP ranges, as well as the IP address for your proxy server.
2. Confirm your proxy URL format with us. If you're using EZproxy, this may be rewritten as http://ezproxy.library.institution.edu/login?url= ; however, other proxy services will likely use a different format for your proxy URL, so please be sure to check with your IT team. 
3. For EZproxy, add the following to your proxy configuration:

T Kanopy
U http://PREFIX.kanopy.com
H https://PREFIX.kanopy.com
D kanopy.com

You will need to change the word "PREFIX" to your institution's Kanopy subdomain, which you will decide upon as part of the onboarding process. So, the subdomain is "myschool" in the platform URL "https://myschool.kanopy.com."

Important notes on proxy/EZproxy set up:

• Please let us know once you have completed the proxy configuration by reaching out to us, or by connecting directly with the Kanopy staff member guiding you through the launch process.
• Please DO NOT proxy links to films and/or your Kanopy portal's homepage within your catalog, library website, LibGuides, embedded links, or elsewhere. We set up an automatic proxy redirect, so any users seeking to access unproxied links from off campus will be sent to the correct, proxied links.
• We strongly encourage implementing a security certificate for your proxy so that HTTPS protocol can be used.

WAM proxy set up

1. Provide us with your full onsite/campus and proxy IP ranges.
2. Confirm your WAM prefix. So, check with your IT team to see how would your WAM rewrite the URL "https://myschool.kanopy.com."
3. Add these lines to your WAM configuration to ensure the links can be used by remote users:
   PREFIX.kanopy.com.
   Bear in mind that you will need to change the word "PREFIX" to your institution ID, as provided by Kanopy.

Important notes on WAM set up:

• Please DO NOT use WAM links when directing users to films and/or your Kanopy portal's homepage within your catalog, library website, LibGuides, embedded links, or elsewhere. We set up an automatic proxy redirect, so any users seeking to access the unproxied links off campus will be redirected to the correct, proxied links.

SAML/Shibboleth/OpenAthens set up

1. Authorize Kanopy to connect to your SAML/Shibboleth/OpenAthens system.
• The person or team managing your SSO account needs to look up Kanopy in the InCommon or UK Federation and add our Service Provider metadata so that we can connect to your Identity Provider (even if we are not listed on the InCommon website, our metadata is listed in their system). If you need to ingest our our SAML metadata manually, it is available via direct download at https://auth.kanopy.com/sp.
• In some cases, this step is not needed as you may have a rule in place allowing anyone in the InCommon federation to connect to your Identity Provider automatically.
2. Kanopy will set up your off-campus access to use SAML/Shibboleth by ingesting your metadata, either from a federated source or through manual download.

VPN set up

1. Provide your full onsite IP ranges.
2. Confirm a URL link for VPN instructions. We will direct users here if they are trying to access your website without your VPN installed.

Azure set up

1. Download Kanopy’s SAML metadata. It’s available at https://auth.kanopy.com/sp.
   
2. From your AzureAD portal, search for Enterprise applications and navigate to that service module.
   
   
3. Within the Enterprise applications service module, click New application at the top.
   
   
4. Kanopy is not accessible from Azure’s cloud platforms gallery. Ignore any entries for Kanopy that appear. Instead, click Create your own application at the top.
   
   
5. In the form that follows, enter a name for the app--ideally, just “Kanopy”--and make sure to select the radio button that reads Integrate any other application you don’t find in the gallery (Non-gallery). Then, click Create.
   
   
6. From the Kanopy overview page within Enterprise Applications, first click on 1. Assign users and groups in order to decide which users and groups you’d like to provide with access to Kanopy. You can do this as you would for any other service provider.
   
   
7. Next, from the Kanopy overview page within Enterprise Applications, click on 2. Set up single sign on.
   
   
8. On the Select a single sign-on method page, click SAML.
9. On the SAML-based Sign-on page, click Upload metadata file at the top-left. Browse your local computer for Kanopy’s XML metadata file, and then click Add.
   
   
10. In the Basic SAML Configuration dialogue box that appears, several fields will auto-populate with data from Kanopy’s metadata file. Here’s what you should be sure to include:
    

    EntityId: https://auth.kanopy.com/sp

    Reply URL (Assertion Consumer Service URL):  https://auth.kanopy.com/module.php/saml/sp/saml2-acs.php/kanopycom-sp 

    Sign on URL: https://[YOUR KANOPY DOMAIN].kanopy.com/signup/auth/university
    Relay State: https://[YOUR KANOPY DOMAIN].kanopy.com
    Logout Url: https://auth.kanopy.com/module.php/saml/sp/saml2-logout.php/kanopycom-sp 
    

    When these configurations are entered correctly, click “Save.”

11. At this point, you may see a notice on the SAML-based Sign-on page that reads "The default reply URL is missing from the list of reply URLs. Click here to fix it." This notice may appear even if you've supplied a default reply URL, so simply click Click here to fix it.
    
    

12. On the SAML-based Sign on page, the information you saved should appear next to 1. Basic SAML Configuration.
    

13. Kanopy does not ultimately ingest any of the user data that can be sent via SAML. Accordingly, none of the data configured through 2. User Attributes & Claims is necessary. This data can be sent, but it will not be used by Kanopy.
14. Still on the SAML-based Sign-on page, under 3. SAML Signing Certificate, click Download next to Federation Metadata XML. This will download the XML file containing your metadata. Either send this file as an attachment to your contact at Kanopy, or provide Kanopy with the URL next to App Federation Metadata Url.
    
    
15. Kanopy will ingest your SAML metadata into our system and perform the necessary Service Provider configurations.
16. At this point, Kanopy will reach out to let you know that your platform’s Azure authentication is ready to test. Kanopy may follow up with a request for test credentials, in which case please be sure to add a test user to “Users and groups” within your Kanopy Enterprise Application.