We will work with you to ensure that only authorized users can access your Kanopy platform.
Kanopy works with most library authentication methods. Typically this includes IP safelisting for on-campus access and another method for off-campus access, such as EZproxy, Shibboleth, WAM, or VPN.
Whatever authentication protocol you use will apply to all Kanopy links. This includes individual film links, links shared on social media, and embedded media links. Users will always need to authenticate in order to play films through your Kanopy service.
Note: Don't proxy links to resources on your Kanopy platform. If a user accesses your Kanopy platform from outside your designated IP range, they will automatically be redirected to the correct authentication page. Learn more about using unproxied links.
To best configure authentication for your new Kanopy platform, please provide all technical information requested on the "Library Launch Details" form.
If possible, please work with your institution's IT team to ensure the information you provide is as complete and accurate as possible.
We will test your authentication during the onboarding process. If you have any questions about authentication, reach out to us through our contact form or your contact at Kanopy.
Proxy/EZproxy setup
- Provide your full on-site IP ranges and the IP address for your proxy server.
- Confirm your proxy URL format with us. If you're using EZproxy, this may be rewritten as http://ezproxy.library.institution.edu/login?url= . However, other proxy services may use a different format for your proxy URL, so please check with your IT team.
- For EZproxy, add the following to your proxy configuration, replacing "PREFIX" with your institution’s Kanopy subdomain:
- T Kanopy
- U http://PREFIX.kanopy.com
- H https://PREFIX.kanopy.com
- D kanopy.com
- Once you have completed the proxy configuration, reach out to us through our contact form or your contact at Kanopy.
Note: Don't proxy links to resources on your Kanopy platform. If a user accesses your Kanopy platform from outside your designated IP range, they will automatically be redirected to the correct authentication page. Learn more about using unproxied links.
Note: We strongly encourage implementing a security certificate for your proxy so that HTTPS can be used.
WAM proxy setup
- Provide your full on-site and proxy IP ranges.
- Confirm your WAM prefix; check with your IT team to see how your WAM rewrites the URL "https://myschool.kanopy.com."
- Add "PREFIX.kanopy.com" to your WAM configuration, replacing "PREFIX" with your institution’s Kanopy subdomain.
Note: Don't proxy links to resources on your Kanopy platform. If a user accesses your Kanopy platform from outside your designated IP range, they will automatically be redirected to the correct authentication page. Learn more about using unproxied links.
SAML/Shibboleth/OpenAthens setup
- Authorize Kanopy to connect to your SAML/Shibboleth/OpenAthens system. Your IT team will need to look up Kanopy in InCommon or the UK federation and add our service provider metadata. You can also directly download our SAML metadata at https://auth.kanopy.com/sp. If your organization allows anyone in InCommon to connect to your identity provider automatically, you can skip this step.
- Kanopy will set your off-campus access to use SAML/Shibboleth by ingesting your metadata.
VPN setup
- Provide your full on-site IP ranges.
- Provide a link for VPN instructions. We will direct users to that URL if they try to access your website without your VPN.
Azure setup
- Download Kanopy’s SAML metadata from https://auth.kanopy.com/sp.
- From your AzureAD portal, search for and select Enterprise applications.
- In "Enterprise applications," select New application.
- Select Create your own application.
- In "Create your own application," enter "Kanopy" as the name for the app, select Integrate any other application you don’t find in the gallery (Non-gallery), then, click Create.
- On the "Kanopy Overview" page in "Enterprise Applications," select 1. Assign users and groups and assign users access as needed..
- From the "Kanopy Overview" page, select 2. Set up single sign on.
- On the "Select a single sign-on method" page, click SAML.
- On the "SAML-based Sign-on" page, select Upload metadata file, browse for Kanopy’s XML metadata file, then click Add.
- In the "Basic SAML Configuration" section, several fields will auto-populate with data from Kanopy’s metadata file. Be sure to replace "PREFIX" with the equivalent subdomain specific to your institution's Kanopy URL. Ensure these fields are filled out as follows, then click Save:
- EntityId:https://auth.kanopy.com/sp
- Reply URL (Assertion Consumer Service URL): https://auth.kanopy.com/module.php/saml/sp/saml2-acs.php/kanopycom-sp
- Sign on URL: https://PREFIX.kanopy.com/signup/auth/university
- Relay State: https://PREFIX.kanopy.com
- Logout Url: https://auth.kanopy.com/module.php/saml/sp/saml2-logout.php/kanopycom-sp
- You may see a message on the "SAML-based Sign-on" page that says: "The default reply URL is missing from the list of reply URLs. Click here to fix it." This message may appear even if you've supplied a default reply URL. If it appears, click Click here to fix it.
-
On the "SAML-based Sign-on" page, the information you saved should appear next to "Basic SAML Configuration".
- Kanopy does not ingest any user data that can be sent via SAML; you can skip the "User Attributes & Claims" section.
- Still on the "SAML-based Sign-on" page, under "SAML Signing Certificate," click Download next to "Federation Metadata XML." This will download the XML file containing your metadata. Send this file or the URL next to "App Federation Metadata Url " to your contact at Kanopy.
- Kanopy will ingest your SAML metadata and perform the necessary service provider configuration.
- Kanopy will let you know when your platform’s Azure authentication is ready to test. Kanopy may follow up with a request for test credentials. If test credentials are needed, please add a test user to “Users and groups” in your Kanopy enterprise application.