When setting up your institution's Kanopy website, we must ensure that access is allowed only to your approved users. Kanopy can use various authentication methods to ensure that your Kanopy platform is secure.
It is important to note that, whatever authentication protocol you choose, authentication will always work on all links, whether they're shared on social media, embedded in your learning management system, or posted on LibGuides.
In fact, if you opt for authentication via proxy, it's important to know that we automatically proxy links that are unproxied for users outside of your IP range. This means that you should only use unproxied links when referring to Kanopy resources.
Kanopy works with almost all methods of authentication that a library may employ. Most typically, this will include IP whitelisting for on-campus access and then another method for off-campus access, such as EZproxy, Shibboleth, WAM, VPN, barcode pattern, etc..
Basic directions for setting up authentication via several methods are outlined below. However, when you decide to launch with Kanopy, you should be sure to include all of your technical system's information on the Tech Form that you will receive from us. Your institution's IT team should be brought into the process of completing the Tech Form.
For all authentication setups, please be sure to provide Kanopy with test credentials. Test credentials are essential in helping us to troubleshoot, quickly and efficiently, any issues that may arise over the life of your Kanopy platform.
If you have any questions about authentication or secure access, please feel free to contact Kanopy support at firstname.lastname@example.org.
To set up your Kanopy website using a proxy or EZproxy:
- Provide your full onsite/campus and proxy IP ranges, as well as the IP address for your EZproxy server itself.
- Confirm your proxy URL format with us. If you're using EZproxy, this may be rewritten as http://ezproxy.library.institution.edu/login?url= ; however, other proxy services will likely use a different for your proxy URL, so please be sure to check with your IT team.
- For EZproxy, add the following to your proxy configuration:
You will need to change the word "PREFIX" to your institution ID or pseudonym, provided by Kanopy.
If you're using a proxy service other than EZproxy, then your proxy configuration may need to be set up a bit differently. Again, please be sure to confirm your system's needs with your IT team.
Important notes on proxy/EZproxy set up:
- Please let us know once you have completed the proxy configuration at email@example.com.
- Please DO NOT proxy links to films and/or your Kanopy portal's homepage within your catalog, library website, LibGuides, embedded links, or elsewhere. We set up an automatic proxy redirect, so any users seeking to access unproxied links from off campus will be sent to the correct, proxied links.
- We strongly encourage implementing a security certificate for your proxy so that HTTPS protocol can be used; this allows you to benefit from full security and will further support film embedding into your course system.
To set up your Kanopy website:
- Provide us with your full onsite/campus and proxy IP ranges.
- Confirm your WAM prefix. So, check with your IT team to see how would your WAM rewrite the URL "https://institution.kanopy.com."
- Add these lines to your WAM configuration to ensure the links can be used by remote users:
(You will need to change the word "PREFIX" to your institution ID or acronym provided by Kanopy.)
Important notes on WAM set up:
- Please DO NOT use WAM links when directing users to films and/or your Kanopy portal's homepage within your catalog, library website, LibGuides, embedded links, or elsewhere. We set up an automatic proxy redirect, so any users seeking to access the unproxied links off campus will be redirected to the correct, proxied links.
- Authorize Kanopy to connect to your SAML/Shibboleth/OpenAthens system.
- The person/team managing your SSO account needs to look up Kanopy in the InCommon or UK Federation and add our Service Provider metadata so that we can connect to your Identity Provider (even if we are not listed on the InCommon website, our metadata is listed in their system). Our metadata is also available via direct download at https://auth.kanopy.com/sp.
- In some cases, this step is not needed as you may have a rule in place allowing anyone in the InCommon federation to connect to your Identity Provider automatically
- If you have any issues with access at this point, please send us test credentials, along with the contact details of the person who manages your SSO connection, so that we can reach out to troubleshoot.
4) VPN set up
To set up your Kanopy website:
- Provide us with your full onsite/campus and VPN IP ranges.
- Confirm a URL link for VPN instructions (we will direct users here if they are trying to access your website without the VPN installed).
Kanopy can authenticate via Azure through the use of our SAML metadata. To set up authentication via Azure:
- Download Kanopy’s SAML metadata. It’s available as an XML file from https://auth.kanopy.com/sp.
- From your AzureAD portal, search for “Enterprise applications” and navigate to that service module.
- Within the “Enterprise applications” service module, click “New application” at the top.
- Kanopy is not accessible from Azure’s cloud platforms gallery. Instead, click “Create your own application” at the top.
- In the form that follows, enter a name for the app--ideally, just “Kanopy”--and make sure to select the radio button that reads “Integrate any other application you don’t find in the gallery (Non-gallery).” Then, click “Create.”
- From the “Kanopy overview” page within Enterprise Applications, first click on “1. Assign users and groups” in order to decide which users and groups you’d like to provide with access to Kanopy. You can do this as you would for any other service provider.
- Next, from the “Kanopy overview” page within Enterprise Applications, click on “2. Set up single sign on.”
- On the “Select a single sign-on method” page, click “SAML.”
- On the “SAML-based Sign-on” page, click “Upload metadata file” at the top-left. Browse your local computer for Kanopy’s XML metadata file, and then click “Add.”
- In the “Basic SAML Configuration” dialogue box that appears, several fields will auto-populate with data from Kanopy’s metadata file. Here’s what you should be sure to include:
Reply URL (Assertion Consumer Service URL): https://auth.kanopy.com/module.php/saml/sp/saml2-acs.php/kanopycom-spSign on URL: https://[YOUR KANOPY DOMAIN].kanopy.com/signup/auth/university
Relay State: https://[YOUR KANOPY DOMAIN].kanopy.com
Logout Url: https://auth.kanopy.com/module.php/saml/sp/saml2-logout.php/kanopycom-sp
When these configurations are entered correctly, click “Save.”
At this point, you may see a notice on the "SAML-based Sign-on" page that reads "The default reply URL is missing from the list of reply URLs. Click here to fix it." This notice may appear even if you've supplied a default reply URL, so simply click "Click here to fix it."
On the "SAML-based Sign on” page, the information you saved should appear next to “1. Basic SAML Configuration.”
- Kanopy does not ultimately ingest any of the user data that can be sent via SAML. Accordingly, none of the data configured through “2. User Attributes & Claims” is necessary. This data can be sent, but it will not be used by Kanopy.
- Still on the “SAML-based Sign-on page,” under “3. SAML Signing Certificate,” click “Download” next to “Federation Metadata XML.” This will download the XML file containing your metadata. Either send this file as an attachment to your contact at Kanopy, or provide Kanopy with the URL next to “App Federation Metadata Url.”
- Kanopy will ingest your SAML metadata into our system and perform the necessary Service Provider configurations.
- At this point, Kanopy will reach out to let you know that your platform’s Azure authentication is ready to test. Kanopy may follow up with a request for test credentials, in which case please be sure to add a test user to “Users and groups” within your Kanopy Enterprise Application.