Difference between revisions of "LTI Authentication (for WeBWorK 2.18 or newer)"

From WeBWorK_wiki
Jump to navigation Jump to search
(27 intermediate revisions by the same user not shown)
Line 13: Line 13:
 
<code>cp /opt/webwork/webwork2/conf/authen_LTI.conf.dist /opt/webwork/webwork2/conf/authen_LTI.conf</code>
 
<code>cp /opt/webwork/webwork2/conf/authen_LTI.conf.dist /opt/webwork/webwork2/conf/authen_LTI.conf</code>
   
In <code>conf/localOverrides.conf</code> uncomment the line that reads <code>#include("conf/authen_LTI.conf");</code> by removing the <code>#</code> from the beginning of the line.
+
In <code>localOverrides.conf</code> uncomment the line that reads <code>#include("conf/authen_LTI.conf");</code> by removing the <code>#</code> from the beginning of the line.
   
 
Now determine which version of LTI you will be using, either LTI 1.1 or LTI 1.3. Note that both versions can be used by one WeBWorK server for different courses if needed.
 
Now determine which version of LTI you will be using, either LTI 1.1 or LTI 1.3. Note that both versions can be used by one WeBWorK server for different courses if needed.
   
If you will be using LTI 1.1, then uncomment the line in <code>conf/authen_LTI.conf</code> that reads <code>#include('conf/authen_LTI_1_1.conf');</code> by removing the <code>#</code> from the beginning of the line and copy the LTI 1.1 distribution configuration file with
+
If you will be using LTI 1.1, then uncomment the line in <code>authen_LTI.conf</code> that reads <code>#include('conf/authen_LTI_1_1.conf');</code> by removing the <code>#</code> from the beginning of the line and copy the LTI 1.1 distribution configuration file with
   
 
<code>cp /opt/webwork/webwork2/conf/authen_LTI_1_1.conf.dist /opt/webwork/webwork2/conf/authen_LTI_1_1.conf</code>
 
<code>cp /opt/webwork/webwork2/conf/authen_LTI_1_1.conf.dist /opt/webwork/webwork2/conf/authen_LTI_1_1.conf</code>
   
If you will be using LTI 1.3, then uncomment the line in <code>conf/authen_LTI.conf</code> that reads <code>#include('conf/authen_LTI_1_3.conf');</code> by removing the <code>#</code> from the beginning of the line and copy the LTI 1.3 distribution configuration file with
+
If you will be using LTI 1.3, then uncomment the line in <code>authen_LTI.conf</code> that reads <code>#include('conf/authen_LTI_1_3.conf');</code> by removing the <code>#</code> from the beginning of the line and copy the LTI 1.3 distribution configuration file with
   
 
<code>cp /opt/webwork/webwork2/conf/authen_LTI_1_3.conf.dist /opt/webwork/webwork2/conf/authen_LTI_1_3.conf</code>
 
<code>cp /opt/webwork/webwork2/conf/authen_LTI_1_3.conf.dist /opt/webwork/webwork2/conf/authen_LTI_1_3.conf</code>
   
Note that all WeBWorK LTI configuration variables that do not have a '''$LTI{v1p?}''' prefix are in the <code>conf/authen_LTI.conf</code> file, and are used by both versions of LTI. All variables that have the '''$LTI{v1p1}''' prefix are in the <code>conf/authen_LTI_1_1.conf</code> file, and are only used by LTI 1.1. All variables that have the '''$LTI{v1p3}''' prefix are in the <code>conf/authen_LTI_1_3.conf</code> file, and are only used by LTI 1.3.
+
Note that all WeBWorK LTI configuration variables that do not have a '''$LTI{v1p?}''' prefix are in the <code>authen_LTI.conf</code> file, and are used by both versions of LTI. All variables that have the '''$LTI{v1p1}''' prefix are in the <code>authen_LTI_1_1.conf</code> file, and are only used by LTI 1.1. All variables that have the '''$LTI{v1p3}''' prefix are in the <code>authen_LTI_1_3.conf</code> file, and are only used by LTI 1.3.
   
The followed are the variables defined in <code>conf/authen_LTI.conf</code>. Some of these are described in more detail later in this document.
+
The followed are the variables defined in <code>authen_LTI.conf</code>. Some of these are described in more detail later in this document.
   
 
* '''$debug_lti_parameters''': Set this to 1 to enable debugging. Getting LTI authentication set up can be tricky, and this can with troubleshooting the issues. Note that for LTI 1.1 most of these messages are displayed in the browser, but for LTI 1.3 you will need to inspect the <code>logs/webwork2.log</code> file to see the error messages. Make sure to set this back to 0 for production use.
 
* '''$debug_lti_parameters''': Set this to 1 to enable debugging. Getting LTI authentication set up can be tricky, and this can with troubleshooting the issues. Note that for LTI 1.1 most of these messages are displayed in the browser, but for LTI 1.3 you will need to inspect the <code>logs/webwork2.log</code> file to see the error messages. Make sure to set this back to 0 for production use.
Line 37: Line 37:
 
* '''$authen{admin_module}''': This is a list of authentication modules tha are allowed for signing in to the admin course. By default only "WeBWorK::Authen::Basic_TheLastOption" is allowed, which means that only username and password sign in is allowed. If you want to allow signing in to the admin course via LTI, then you can uncomment "WeBWorK::Authen::LTIAdvantage" (for LTI 1.3) or "WeBWorK::Authen::LTIAdvanced" (for LTI 1.1). This is not recommended.
 
* '''$authen{admin_module}''': This is a list of authentication modules tha are allowed for signing in to the admin course. By default only "WeBWorK::Authen::Basic_TheLastOption" is allowed, which means that only username and password sign in is allowed. If you want to allow signing in to the admin course via LTI, then you can uncomment "WeBWorK::Authen::LTIAdvantage" (for LTI 1.3) or "WeBWorK::Authen::LTIAdvanced" (for LTI 1.1). This is not recommended.
   
* '''$LTIVersion''': Set this to the LTI version that the courses on your server will be using. This is either "v1p1" for LTI version 1.1, or "v1p3" for LTI version 1.3. This can also be set in a course's course.conf file if different courses use different LTI versions.
+
* '''$LTIVersion''': Set this to the LTI version that the courses on your server will be using. This is either "v1p1" for LTI version 1.1, or "v1p3" for LTI version 1.3. This can also be set in a course's course.conf file to make a course use a different LTI version than the site wide default.
   
 
* '''$LTIAccountCreationCutoff''': WeBWorK will automatically create users when logging in via the LMS for the first time for users with a permission level below what this is set to. This is set to "ta" by default.
 
* '''$LTIAccountCreationCutoff''': WeBWorK will automatically create users when logging in via the LMS for the first time for users with a permission level below what this is set to. This is set to "ta" by default.
Line 71: Line 71:
 
[[File:MoodleConfigurationDetails.png|500px]]
 
[[File:MoodleConfigurationDetails.png|500px]]
   
The shown values in the order shown will be the values for the variables '''$LTI{v1p3}{PlatformID}''', '''$LTI{v1p3}{ClientID}''', '''$LTI{v1p3}{DeploymentID}''', '''$LTI{v1p3}{PublicKeysetURL}''', '''$LTI{v1p3}{AccessTokenURL}''', and '''$LTI{v1p3}{AuthReqURL}''', respectively, in the <code>conf/authen_LTI_1_3.conf</code> file. The "Access token URL" will also be the value for the '''$LTI{v1p3}{AccessTokenAUD}''' variable.
+
The shown values in the order shown will be the values for the variables '''$LTI{v1p3}{PlatformID}''', '''$LTI{v1p3}{ClientID}''', '''$LTI{v1p3}{DeploymentID}''', '''$LTI{v1p3}{PublicKeysetURL}''', '''$LTI{v1p3}{AccessTokenURL}''', and '''$LTI{v1p3}{AuthReqURL}''', respectively, in the <code>authen_LTI_1_3.conf</code> file. The "Access token URL" will also be the value for the '''$LTI{v1p3}{AccessTokenAUD}''' variable.
   
 
==== Canvas ====
 
==== Canvas ====
Line 91: Line 91:
 
[[File:CanvasPlacements.png|500px]]
 
[[File:CanvasPlacements.png|500px]]
   
After saving the developer key you will see the following. Make note of the long number above the "Show Key" button in the details column. That is the client id which will be needed in the next step and will be the value for the '''$LTI{v1p3}{ClientID}''' in the WeBWorK <code>conf/authen_LTI_1_3.conf</code> file.
+
After saving the developer key you will see the following. Make note of the long number above the "Show Key" button in the details column. That is the client id which will be needed in the next step and will be the value for the '''$LTI{v1p3}{ClientID}''' in the WeBWorK <code>authen_LTI_1_3.conf</code> file.
   
 
[[File:CanvasDeveloperKeyDetails.png|500px]]
 
[[File:CanvasDeveloperKeyDetails.png|500px]]
Line 99: Line 99:
 
[[File:CanvasAddApp.png|500px]]
 
[[File:CanvasAddApp.png|500px]]
   
After submitting Canvas will return to the "Apps" tab in "Settings". Find the app you just created and click on the gear icon drop down menu to the right. Select "Deployment ID" and save the deployment ID that is shown. This will be the value for the '''$LTI{v1p3}{DeploymentID}''' in the WeBWorK <code>conf/authen_LTI_1_3.conf</code> file.
+
After submitting Canvas will return to the "Apps" tab in "Settings". Find the app you just created and click on the gear icon drop down menu to the right. Select "Deployment ID" and save the deployment ID that is shown. This will be the value for the '''$LTI{v1p3}{DeploymentID}''' in the WeBWorK <code>authen_LTI_1_3.conf</code> file.
   
The other variables that will need to be set in the <code>conf/authen_LTI_1_3.conf</code> file are as follows:
+
The other variables that will need to be set in the <code>authen_LTI_1_3.conf</code> file are as follows:
   
 
* '''$LTI{v1p3}{PlatformID}''': Either '<nowiki>https://canvas.instructure.com</nowiki>' or '<nowiki>https://yourschool.instructure.com</nowiki>' (It is not known at the time of this writing which this will need to be in production.)
 
* '''$LTI{v1p3}{PlatformID}''': Either '<nowiki>https://canvas.instructure.com</nowiki>' or '<nowiki>https://yourschool.instructure.com</nowiki>' (It is not known at the time of this writing which this will need to be in production.)
Line 117: Line 117:
 
Now configure WeBWorK for LTI 1.3 authentication.
 
Now configure WeBWorK for LTI 1.3 authentication.
   
In the <code>conf/authen_LTI_1_3.conf</code> file set the LTI 1.3 basic authentication parameters '''$LTI{v1p3}{PlatformID}''', '''$LTI{v1p3}{ClientID}''', '''$LTI{v1p3}{DeploymentID}''', '''$LTI{v1p3}{PublicKeysetURL}''', '''$LTI{v1p3}{AccessTokenURL}''', '''$LTI{v1p3}{AccessTokenAUD}''', '''$LTI{v1p3}{AuthReqURL}''' to the values found in the LMS configuration above.
+
In the <code>authen_LTI_1_3.conf</code> file set the LTI 1.3 basic authentication parameters '''$LTI{v1p3}{PlatformID}''', '''$LTI{v1p3}{ClientID}''', '''$LTI{v1p3}{DeploymentID}''', '''$LTI{v1p3}{PublicKeysetURL}''', '''$LTI{v1p3}{AccessTokenURL}''', '''$LTI{v1p3}{AccessTokenAUD}''', '''$LTI{v1p3}{AuthReqURL}''' to the values found in the LMS configuration above.
  +
  +
Set <code>$LTIVersion = 'v1p3';</code> in <code>authen_LTI.conf</code>. You may instead set this in the <code>course.conf</code> files of the courses that you want to use LTI 1.3 for, leave <code>$LTIVersion = 'v1p1';</code> in <code>authen_LTI.conf</code> if most of the courses on your server will be using LTI 1.1.
   
 
There are some other options that can be set as well. Some of these are discussed in more detail in other sections of this document.
 
There are some other options that can be set as well. Some of these are discussed in more detail in other sections of this document.
Line 126: Line 126:
   
 
* '''$LTI{v1p3}{preferred_source_of_username}''': When a user logs into WeBWorK from the LMS WeBWorK needs to determine the username of the person logging in. This determines which parameter sent from the LMS to use for the WeBWorK username. This is "email" by default, but can be set to any parameter included in the JWT sent from the LMS that uniquely identifies users.
 
* '''$LTI{v1p3}{preferred_source_of_username}''': When a user logs into WeBWorK from the LMS WeBWorK needs to determine the username of the person logging in. This determines which parameter sent from the LMS to use for the WeBWorK username. This is "email" by default, but can be set to any parameter included in the JWT sent from the LMS that uniquely identifies users.
** You can set '''$debug_lti_parameters = 1''' in <code>conf/authen_LTI.conf</code> to help find which parameter to use for this.
+
** You can set '''$debug_lti_parameters = 1''' in <code>authen_LTI.conf</code> to help find which parameter to use for this.
 
** If this variable is set to "email", then by default the entire email address is used. If you don't want to use the entire email address you can also set '''$LTI{v1p3}{strip_domain_from_email} = 1''' and WeBWorK will remove the domain name from the email address when creating the username.
 
** If this variable is set to "email", then by default the entire email address is used. If you don't want to use the entire email address you can also set '''$LTI{v1p3}{strip_domain_from_email} = 1''' and WeBWorK will remove the domain name from the email address when creating the username.
   
Line 134: Line 134:
   
 
* '''$LTI{v1p3}{preferred_source_of_student_id}''': The parameter sent from the LMS to use for the WeBWorK student id. This is optional and is not set by default.
 
* '''$LTI{v1p3}{preferred_source_of_student_id}''': The parameter sent from the LMS to use for the WeBWorK student id. This is optional and is not set by default.
** You can set '''$debug_lti_parameters = 1''' in <code>conf/authen_LTI.conf</code> to help find which parameter to use for this.
+
** You can set '''$debug_lti_parameters = 1''' in <code>authen_LTI.conf</code> to help find which parameter to use for this.
   
 
* '''$LTI{v1p3}{StateKeyLifetime}''': When the WeBWorK responds to an initial LMS request it includes state and nonce values in that request. These values are saved in the database until the response from the LMS to that request is received. This variable controls how long in seconds this data will be saved in the database before it is considered stale and deleted. It should be short enough to accomodate normal server and networking delays. Note that if authentication is successful this will be deleted before this lifetime expires in any case. This is only to ensure that keys from failed authentication attempts don't pile up in the database.
 
* '''$LTI{v1p3}{StateKeyLifetime}''': When the WeBWorK responds to an initial LMS request it includes state and nonce values in that request. These values are saved in the database until the response from the LMS to that request is received. This variable controls how long in seconds this data will be saved in the database before it is considered stale and deleted. It should be short enough to accomodate normal server and networking delays. Note that if authentication is successful this will be deleted before this lifetime expires in any case. This is only to ensure that keys from failed authentication attempts don't pile up in the database.
Line 148: Line 148:
 
=== LTI 1.1 WeBWorK Configuration ===
 
=== LTI 1.1 WeBWorK Configuration ===
   
In <code>conf/authen_LTI_1_1.conf</code> set '''$LTI{v1p1}{BasicConsumerSecret}'''. This acts like a global password and is used to authenticate all communication between WeBWorK and the LMS. So pick something reasonably complicated.
+
In <code>authen_LTI_1_1.conf</code> set '''$LTI{v1p1}{BasicConsumerSecret}'''. This acts like a global password and is used to authenticate all communication between WeBWorK and the LMS. So pick something secure.
  +
  +
Set <code>$LTIVersion = 'v1p1';</code> in <code>authen_LTI.conf</code> (this is the default setting). You may instead set this in the <code>course.conf</code> files of the courses that you want to use LTI 1.1 for, and set <code>$LTIVersion = 'v1p3';</code> in <code>authen_LTI.conf</code> if most of the courses on your server will be using LTI 1.3.
   
 
There are some other options that can be set as well. Some of these are discussed in more detail in other sections of this document.
 
There are some other options that can be set as well. Some of these are discussed in more detail in other sections of this document.
Line 160: Line 160:
 
** If this variable is set to "lis_person_contact_email_primary" then the email address provided by the LMS will be used for the WeBWorK username.
 
** If this variable is set to "lis_person_contact_email_primary" then the email address provided by the LMS will be used for the WeBWorK username.
 
*** By default the entire email address is used. If you don't want to use the entire email address you can also set '''$LTI{v1p1}{strip_domain_from_email} = 1''' and WeBWorK will strip off the server portion of the email address when creating the username.
 
*** By default the entire email address is used. If you don't want to use the entire email address you can also set '''$LTI{v1p1}{strip_domain_from_email} = 1''' and WeBWorK will strip off the server portion of the email address when creating the username.
** You can set '''$debug_lti_parameters = 1''' in <code>conf/authen_LTI.conf</code> to help find which parameter to use for this.
+
** You can set '''$debug_lti_parameters = 1''' in <code>authen_LTI.conf</code> to help find which parameter to use for this.
   
 
* '''$LTI{v1p1}{fallback_source_of_username}''': If the parameter set for $LTI{v1p1}{preferred_source_of_username} can not be found, then the parameter set for this variable will be used instead if it can be found in the parameters. This is not set by default.
 
* '''$LTI{v1p1}{fallback_source_of_username}''': If the parameter set for $LTI{v1p1}{preferred_source_of_username} can not be found, then the parameter set for this variable will be used instead if it can be found in the parameters. This is not set by default.
Line 167: Line 167:
   
 
* '''$LTI{v1p1}{preferred_source_of_student_id}''': The parameter sent from the LMS to use for the WeBWorK student id. This is optional and is not set by default.
 
* '''$LTI{v1p1}{preferred_source_of_student_id}''': The parameter sent from the LMS to use for the WeBWorK student id. This is optional and is not set by default.
** You can set '''$debug_lti_parameters = 1''' in <code>conf/authen_LTI.conf</code> to help find which parameter to use for this.
+
** You can set '''$debug_lti_parameters = 1''' in <code>authen_LTI.conf</code> to help find which parameter to use for this.
   
 
* '''$LTI{v1p1}{NonceLifeTime}''': When the LMS sends a user to WeBWorK it makes a request identified by a "Nonce". This variable controls how long the Nonce is valid, in seconds, from the time it is created by the LMS. It should be short enough to prevent "casual" man-in-the-middle attacks. However, you may need to set it to something longer if your servers/network are slow or if the clocks on your servers are not synced.
 
* '''$LTI{v1p1}{NonceLifeTime}''': When the LMS sends a user to WeBWorK it makes a request identified by a "Nonce". This variable controls how long the Nonce is valid, in seconds, from the time it is created by the LMS. It should be short enough to prevent "casual" man-in-the-middle attacks. However, you may need to set it to something longer if your servers/network are slow or if the clocks on your servers are not synced.
Line 181: Line 181:
 
=== LTI 1.1 LMS Configuration ===
 
=== LTI 1.1 LMS Configuration ===
   
Next you need to set up your LMS. In general you will need to provide the LMS the following things:
+
Next you need to configure your LMS. In general you will need to provide the LMS the following things:
   
* The address of your WeBWorK server. Note: The address here needs to exactly match the address of your webwork server as defined in site.conf, e.g. it should be the combination of '''$server_root_url''' and '''$webwork_url'''
+
* The address of your WeBWorK server. Note: The address here needs to exactly match the address of your webwork server as defined in <code>site.conf</code>, i.e., it should be the combination of '''$server_root_url''' and '''$webwork_url'''
 
* The "Tool Provider Key" or "Consumer Key". This is just some made up word, like "webwork" or "smargleborg".
 
* The "Tool Provider Key" or "Consumer Key". This is just some made up word, like "webwork" or "smargleborg".
* The "Tool Provider Secret" or "Consumer Secret". This is the password used to identify the LMS to your WeBWorK site (and vice versa) and should be the same as '''$LTIBasicConsumerSecret'''.
+
* The "Tool Provider Secret" or "Consumer Secret". This is the password used to identify the LMS to your WeBWorK site (and vice versa) and should be the same as '''$LTI{v1p1}{BasicConsumerSecret}'''.
* What kind of user information is provided to WeBWorK.
+
* What user information is submitted to WeBWorK.
   
The specifics in setting up the LMS vary depending on what LMS you use. Instructions for Blackboard, Moodle and Canvas are below. Note, when the instructions refer to the "LTI" or "Tool", that is WeBWorK. A couple of other things to think about:
+
The specifics in setting up the LMS vary depending on which LMS you use. Instructions for Blackboard, Moodle, Canvas, and BrightSpace's Desire2Learn are below. An instructor can perform these instructions at the course level, and this will apply to only that course, or an LMS administrator can do this at the system level so that it applies to all courses on the system.
* Its usually best to have WeBWorK open in a new window. There are usually settings you can set which will control this. However feel free to experiment with other settings until you find a mode you like.
+
* If you want to get fancy you can also try to have the LMS provide section or recitation information by setting a custom parameter. In all of the configurations there is a "Custom Fields" section. You would specify "section = #" or "recitation = #" to set the section or recitation.
+
You can also try to have the LMS provide section or recitation information by setting a custom parameter. In all of the configurations there is a "Custom Fields" section. You would specify "section = #" or "recitation = #" to set the section or recitation.
   
 
==== Blackboard ====
 
==== Blackboard ====
The instructions are [https://en-us.help.blackboard.com/Learn/9.1_2014_04/Administrator/070_Server_Management_and_Integrations/System_Integration/LTI here]. Brief instructions and a screenshot follow.
 
   
 
[[File:blackboard-lti-setup.png|500px]]
 
[[File:blackboard-lti-setup.png|500px]]
Line 199: Line 198:
 
# In the Administrator Panel (under Building Blocks) click LTI Tool Providers and then Register Provider Domain
 
# In the Administrator Panel (under Building Blocks) click LTI Tool Providers and then Register Provider Domain
 
# Input the address of the WeBWorK server in Provider Domain
 
# Input the address of the WeBWorK server in Provider Domain
# Use Set Globally for Default configuration and input the Tool Provider Key (any word, e.g. webwork) and the Tool Provider Secret (e.g.$LTIBasicConsumerSecret)
+
# Use Set Globally for Default configuration and input the Tool Provider Key (any word, e.g. webwork) and the Tool Provider Secret ($LTI{v1p1}{BasicConsumerSecret})
# Enable Send User Data. (Restricting to ssl is safer if you have https enabled.) Then enable all three user fields.
+
# Enable Send User Data. (Restricting to ssl is safer if you have https enabled.) Then enable all three user fields.
   
 
==== Moodle ====
 
==== Moodle ====
 
The instructions are [https://docs.moodle.org/30/en/External_tool_settings here]. Basic instructions and a screenshot follow
 
   
 
[[File:moodle-lti-setup.png|500px]]
 
[[File:moodle-lti-setup.png|500px]]
Line 210: Line 207:
 
# Go to Site administration > Plugins > Activity modules > LTI > Manage external tool types and click "Add External Tool Configuration"
 
# Go to Site administration > Plugins > Activity modules > LTI > Manage external tool types and click "Add External Tool Configuration"
 
# Input the Tool Name and the WeBWorK server address as the Tool Base URL
 
# Input the Tool Name and the WeBWorK server address as the Tool Base URL
# Input the Consumer Key (any word e.g. webwork) and the Shared Secret (e.g. $LTIBasicConsumerSecret).
+
# Input the Consumer Key (any word e.g. webwork) and the Shared Secret ($LTIBasicConsumerSecret).
# In Privacy set both "Share" configurations to "Always". If you have https available its safer to also enable "Force SSL".
+
# In Privacy set both "Share" configurations to "Always". If you have https available its safer to also enable "Force SSL".
   
 
==== Canvas ====
 
==== Canvas ====
 
The instructions are [https://guides.instructure.com/m/4152/l/57103-how-do-i-manually-configure-an-external-app-for-a-course here]. The basic instructions and a screenshot follow.
 
   
 
[[File:canvas-lti-setup.png|500px]]
 
[[File:canvas-lti-setup.png|500px]]
Line 222: Line 217:
 
# Choose "Manual Entry" for configuration type.
 
# Choose "Manual Entry" for configuration type.
 
# The "Launch URL" is the url of the course and can be left blank. The "Domain" is just the server address
 
# The "Launch URL" is the url of the course and can be left blank. The "Domain" is just the server address
# Input the Consumer Key (any word e.g. webwork) and the Shared Secret (e.g. $LTIBasicConsumerSecret).
+
# Input the Consumer Key (any word, e.g., webwork) and the Shared Secret ($LTI{v1p1}{BasicConsumerSecret}).
 
# You should set "Privacy" to "Public".
 
# You should set "Privacy" to "Public".
   
'''Warning:''' A recent Canvas security related change prevents copying the LTI key and LTI consumer secret when course content is copied to a new course. Those values need to be set again manually in the new course. See: [http://webwork.maa.org/moodle/mod/forum/discuss.php?d=4619 the forum post by Tim Payer].
+
'''Warning:''' Canvas does not copy the consumer key and consumer secret when course content is copied to a new course. Those values need to be set again manually for the new course.
   
==== Desire2Learn (D2L) BrightSpace ====
+
==== BrightSpace Desire2Learn (D2L) ====
   
See [[LTI-Advanced_Authentication_for_D2L]]
 
  +
This assumes that you will be using the email address stored in D2L (or just the first part of the email address) as the username in WeBWorK. Currently this is the only supported format when linking with D2L, as D2L does not send the user ID using the same convention as other Learning Management Systems. So you will need to set <code>$LTI{v1p1}{preferred_source_of_username} = "lis_person_contact_email_primary";</code> in <code>authen_LTI_1_1.conf</code> in order for these instructions to work. If you prefer to use only the first part of the email address as the username in WeBWorK, then you should also set <code>$strip_address_from_email = 1;</code>.
   
=== Adding Links To WeBWorK ===
 
  +
# Navigate to the Manage External Tools page (as an instructor, this can be found as follows. Go to the Content Browser. Within a content area, click on the "Add Existing Activities" drop-down, and choose "External Learning Tools", then click on "Manage External Tools" at the bottom.
  +
# Click on "Manage Tool Providers" at the top.
  +
# Click on "New Tool Provider", and fill in the following values:
  +
{| class="wikitable"
  +
|-
  +
|Launch Point
  +
|The full url of your webwork server. Typically something like <nowiki>https://webwork.yourschool.edu/webwork2</nowiki>
  +
|-
  +
|Secret
  +
|A random string that must match the variable $LTI{v1p1}{BasicConsumerSecret} set in <code>authen_LTI.conf</code>
  +
|-
  +
|Tool consumer information
  +
|Check the box "Use custom tool consumer information instead of default"
  +
|-
  +
|Key
  +
|Can be any string, but do not leave blank.
  +
|-
  +
|Name
  +
|Optional
  +
|-
  +
|Description
  +
|Optional
  +
|-
  +
|Contact Email
  +
|Optional
  +
|-
  +
|Visibility
  +
|Click "Allow users to use this tool provider"
  +
|-
  +
|Security settings
  +
|Check the following:
  +
"Send user ID to tool provider"
  +
"Send user email to tool provider"
  +
"Send system role to tool provider"
  +
|-
  +
|Make tool provider available to
  +
|You can choose which courses or organizational units can use this tool. Note that courses not selected here would still be able to create WeBWorK links, but they would have to be set up manually
  +
|}
   
Once you have set up your WeBWorK configuration files and added WeBWorK as an LTI Tool to your LMS you will need to make a link/assignment in the LMS that students can use to get to WeBWorK. This needs to be done in every LMS course which uses WeBWorK. Again, the process for this varies depending on what LMS you are using. I'll describe the basic process for Moodle, Blackboard and Canvas. Be aware that each LMS has its own quirks and possibilities. In some LMS you can make a link in the side bar as a "course tool", or as a "module", or add it to the navigation bar. In some LMS the links go in the "Content Area". In some LMS the links go in the "Assignment List". Consult your LMS documentation for a full description on where and how LTI links can be included. A couple of other things to think about:
 
  +
== Adding Links To WeBWorK ==
* Its usually best to have WeBWorK open in a new window. There are usually settings you can set which will control this. However feel free to experiment with other settings until you find a mode you like.
 
* If you want to get fancy you can also try to have the LMS provide section or recitation information by setting a custom parameter. In all of the configurations there is a "Custom Fields" section. You would specify "section = #" or "recitation = #" to set the section or recitation.
 
   
==== Blackboard ====
 
  +
Once you have set up your WeBWorK configuration files and added WeBWorK as an LTI Tool to your LMS you will need to make a link/assignment in the LMS that students can use to get to WeBWorK. This needs to be done in every LMS course which uses WeBWorK. The process for this varies depending on what LMS you are using. Instructions for Moodle, Blackboard, Canvas, and BrightSpace's Desire2Learn are below.
  +
  +
It is usually best to have WeBWorK open in a new window. There are usually settings you can set when creating a link/assignment in the LMS which will control this.
   
The documentation is [https://credoreference.zendesk.com/hc/en-us/articles/207503743-Blackboard-LTI-Integration-Adding-a-Web-Link here]. A screenshot and basic instructions follow.
 
  +
=== Blackboard ===
   
 
[[File:blackboard-lti-link.png|500px]]
 
[[File:blackboard-lti-link.png|500px]]
   
# Go to Conent > Build Content > (Create) Web Link
+
# Go to Content > Build Content > (Create) Web Link
# Add a Name for your link and the URL of the course you are linking to. You can get the url using "copy link location" on the link to the course in the main WeBWorK page. Alternatively the url structure is: '''<nowiki>http://webwork.server.edu/webwork2/CourseName</nowiki>'''
+
# Add a Name for your link and the URL of the WeBWorK course or assignment that you are linking to. The URL structure is either <nowiki>https://webwork.yourschool.edu/webwork2/coursename</nowiki> or <nowiki>https://webwork.yourschool.edu/webwork2/coursename/assignmentname</nowiki>.
 
# Check "This link is a Tool Provider"*
 
# Check "This link is a Tool Provider"*
   
 
* You may need to enable "LTI" in Customization => Tool Availability if the checkbox for "This link is a Tool Provider" is not shown
 
* You may need to enable "LTI" in Customization => Tool Availability if the checkbox for "This link is a Tool Provider" is not shown
   
==== Moodle ====
+
=== Moodle ===
   
 
The documentation is [https://docs.moodle.org/30/en/External_tool_settings here]. A screenshot and basic instructions follow.
 
The documentation is [https://docs.moodle.org/30/en/External_tool_settings here]. A screenshot and basic instructions follow.
Line 257: Line 289:
 
# Go to a Course, Turn "Editing" on, and click "Add an activity or resource".
 
# Go to a Course, Turn "Editing" on, and click "Add an activity or resource".
 
# Choose "External Tool" and click "Add".
 
# Choose "External Tool" and click "Add".
# Pick an activity name and add the URL of the course you are linking to. You can get the url using "copy link location" on the link to the course in the main WeBWorK page. Alternatively the url structure is: '''<nowiki>http://webwork.server.edu/webwork2/CourseName</nowiki>'''
+
# Pick an activity name and add the URL for a WeBWorK course or assignment. The URL structure is either <nowiki>https://webwork.yourschool.edu/webwork2/coursename</nowiki> or <nowiki>https://webwork.yourschool.edu/webwork2/coursename/assignmentname</nowiki>.
   
==== Canvas ====
+
=== Canvas ===
   
 
The documentation is [https://guides.instructure.com/m/4152/l/501360-how-do-i-add-an-external-app-as-an-assignment-submission-type here]. A screenshot and basic instructions follow.
 
The documentation is [https://guides.instructure.com/m/4152/l/501360-how-do-i-add-an-external-app-as-an-assignment-submission-type here]. A screenshot and basic instructions follow.
Line 267: Line 299:
 
# Go to your Course, then Assignments, then add an assignment.
 
# Go to your Course, then Assignments, then add an assignment.
 
# Select "External Tool" for Submission type.
 
# Select "External Tool" for Submission type.
# Input the URL of the course you are linking to. You can get the url using "copy link location" on the link to the course in the main WeBWorK page. Alternatively the url structure is: '''<nowiki>http://webwork.server.edu/webwork2/CourseName</nowiki>'''
+
# Input the URL of the WeBWorK course or assignment that you are linking to. The URL structure is either <nowiki>https://webwork.yourschool.edu/webwork2/coursename</nowiki> or <nowiki>https://webwork.yourschool.edu/webwork2/coursename/assignmentname</nowiki>.
  +
  +
=== BrightSpace Desire2Learn (D2L) ===
   
'''Warning:''' A recent Canvas security related change prevents copying the LTI key and LTI consumer secret when course content is copied to a new course. Those values need to be set again manually in the new course. See: [http://webwork.maa.org/moodle/mod/forum/discuss.php?d=4619 the forum post by Tim Payer].
 
  +
# Navigate to the content area in your D2L course where you would like the link to reside.
  +
# From the "Add Existing Activities" menu, select "External Learning Tools".
  +
# Click "Manage External Tools"
  +
# Click the New Link button
  +
# Under "Title", fill in whatever text you would like to see for the link in D2L
  +
# For URL, enter the URL to the course or the assignment, typically either <nowiki>https://webwork.yourschool.edu/webwork2/coursename</nowiki> or <nowiki>https://webwork.yourschool.edu/webwork2/coursename/assignmentname</nowiki>
  +
# Check "Allow users to view this link"
  +
# For Key/Secret, check "Sign messages with key/secret with", and select "Tool consumer key secret"
  +
# For Security Settings, select "Use tool provider security settings"
   
 
== Automatic Student Account Management ==
 
== Automatic Student Account Management ==
Line 288: Line 328:
 
** '''$LTIAccountCreationCutoff''': Users with permission levels at or above this value are not automatically created. It is set to 'ta' by default. You will need to manually add users at or above this value to a course before they can log in via the LMS. If you want to allow professors to be created automatically set this variable to 'professor'. If you want to turn off the account creation feature set this variable to 'guest' or 'student'.
 
** '''$LTIAccountCreationCutoff''': Users with permission levels at or above this value are not automatically created. It is set to 'ta' by default. You will need to manually add users at or above this value to a course before they can log in via the LMS. If you want to allow professors to be created automatically set this variable to 'professor'. If you want to turn off the account creation feature set this variable to 'guest' or 'student'.
 
** '''$LTI{v1p?}{LMSrolesToWeBWorKroles}''': If your LMS uses roles not listed in this hash you will need to add those roles so that users get the right WeBWorK permission level.
 
** '''$LTI{v1p?}{LMSrolesToWeBWorKroles}''': If your LMS uses roles not listed in this hash you will need to add those roles so that users get the right WeBWorK permission level.
** '''$LTI{v1p?}{LTI_modify_user}''': This is a subroutine which you can use to modify a newly created user before they are actually added to WeBWorK. You would use this if you wanted to, for example, analyze the LTI context parameter for a section number and set the student's section, or create a random string which you set as the student ID and the students password. There are example subroutines in the <code>conf/authen_LTI_1_1.conf</code> and <code>conf/authenLTI_1_3.conf</code> files.
+
** '''$LTI{v1p?}{LTI_modify_user}''': This is a subroutine which you can use to modify a newly created user before they are actually added to WeBWorK. You would use this if you wanted to, for example, analyze the LTI context parameter for a section number and set the student's section, or create a random string which you set as the student ID and the students password. There are example subroutines in the <code>authen_LTI_1_1.conf</code> and <code>authenLTI_1_3.conf</code> files.
** '''$LTI{v1p?}{LTI_modify_set}''': This is a subroutine which you can use to modify newly created sets before they are assigned to users. You would use this if you wanted to, for example, modify the due date of the set before it is assigned, adding extra days based on the number of sets assigned. There are example subroutines in the <code>conf/authen_LTI_1_1.conf</code> and <code>conf/authenLTI_1_3.conf</code> files.
+
** '''$LTI{v1p?}{LTI_modify_set}''': This is a subroutine which you can use to modify newly created sets before they are assigned to users. You would use this if you wanted to, for example, modify the due date of the set before it is assigned, adding extra days based on the number of sets assigned. There are example subroutines in the <code>authen_LTI_1_1.conf</code> and <code>authenLTI_1_3.conf</code> files.
   
 
== Additional Authentication Setups ==
 
== Additional Authentication Setups ==
   
If your LMS uses an LDAP system for authentication you can set WeBWorK to also use LDAP authentication (see [[LDAP Authentication]]). This will allow students to log into WeBWorK using their LDAP/LMS credentials (once their account is created in WeBWorK). To do this you should first comment out the following lines in <code>conf/authen_ldap.conf</code>
+
If your LMS uses an LDAP system for authentication you can set WeBWorK to also use LDAP authentication (see [[LDAP Authentication]]). This will allow students to log into WeBWorK using their LDAP/LMS credentials (once their account is created in WeBWorK). To do this you should first comment out the following lines in <code>authen_ldap.conf</code>
   
 
#$authen{user_module} = {
 
#$authen{user_module} = {
Line 299: Line 339:
 
#};
 
#};
   
In <code>conf/authen_LTI.conf</code> you should change the definition of '''$authen{user_module}''' to
+
In <code>authen_LTI.conf</code> you should change the definition of '''$authen{user_module}''' to
   
 
$authen{user_module} = [
 
$authen{user_module} = [
Line 309: Line 349:
 
You should also make sure that '''$external_auth''' is set to 0.
 
You should also make sure that '''$external_auth''' is set to 0.
   
== Make LTI connections for a single course ==
+
== Use Different LTI Configurations for Courses ==
* LTI -- The LTI connection between Canvas, Blackboard, Moodle and WeBWorK was introduced in release 2.12 but best practices for configuring the connection are still emerging.
 
   
* In webwork2/conf make a copy authen_LTI.conf from authen_LTI.conf.dist if you haven't done so already.
 
  +
Configure WeBWorK to use LTI as directed above. Then add any of the configuration variables defined in <code>authen_LTI.conf</code>, <code>authen_LTI_1_1.conf</code>, or <code>authen_LTI_1_3.conf</code> to the end of a course's <code>course.conf</code> file to use different values for this course than the site wide settings.
* In localOverrides.conf make sure that authen_LTI.conf is enabled and set global settings for the grading mode and debugging:
 
include("conf/authen_LTI.conf");
 
$debug_lti_parameters = 0;
 
$LTIGrademode=“”;
 
* At the end of course.conf for the course using LTI place these statements:
 
# Settings to connect this course to Canvas via LTI.
 
$LTIGradeOnSubmit = 1; # or 0 if grade pass-back is not used
 
$debug_lti_parameters = 0; # you can set this to 1 for initial setup in order to get additional debugging information
 
$LTIBasicConsumerSecret = "XXXsecretXXX";
 
$LTIGradeMode = "homework";
 
$external_auth = 0; # this allows both LTI and direct authorization to work simultaneously (use carefully, LTI registered students who try to
 
# login directly will be told they have an incorrect password since LTI creates a random practice that is never used.
 
# instructors will be able to login directly
 
*** For more details read Goeff Goehle's blog posts ([http://webworkgoehle.blogspot.com/2016/03/webwork-lti-authentication.html]) and the comments in authen_LTI.conf.dist, and LTIAdvanced.pm
 
   
 
== Grade Pass-back ==
 
== Grade Pass-back ==
   
 
There is an optional subsystem for allowing WeBWorK to pass grades back to the LMS. You can read more about that at [[LTI-Advanced Grading]]
 
There is an optional subsystem for allowing WeBWorK to pass grades back to the LMS. You can read more about that at [[LTI-Advanced Grading]]
 
== Gotchas ==
 
 
* ''I set '''$debug_lti_parameters''' to one but I don't see any debugging info.'' This means that the LTI authentication module is not getting called, or is getting called without parameters.
 
** The LTI parameters are only set in the 'initial' login. Make sure you log out of WeBWorK before trying to log back in via the LMS.
 
** If you have multiple authentication plugins activated make sure that '''$authen{user_module}''' is not getting overwritten by a different authentication module.
 
** If you have https and are forwarding http calls to https, make sure that the link in the LMS is https.
 
* ''I get an "OAuth verification failed" error.'' This means that WeBWorK cannot verify the authentication request sent by the LMS. This usually means that you have trouble with either the consumer secret or your WeBWorK address.
 
** Double check that your consumer secrets are the same.
 
** Double check that your urls match. In particular the URL you put in the LMS has to match the server url defined in '''site.conf''', '''localOverrides.conf''', and '''authen_LTI.conf'''. For example, if you have an "https" in the URL in the LMS then you should have an "https" in the value of '''$server_root_url'''.
 
* ''I get an "LTIAdvanced was unable to create a username from the user_id or from the mail address." error.'' WeBWorK uses either the parameter "lis_person_sourcedid" or the parameter "lis_person_contact_email_primary" to build the user id. If neither of these are present the system will fail. Make sure the "privacy" mode is set to "public" (or the most permissive setting) in the LMS to guarantee that it is sending enough info for WeBWorK to create a user.
 
* ''I get an "Your authentication failed. Please try again. Please speak with your instructor if you need help." in Canvas, after copying a course to a new semester.
 
[[Category:Administrators]]
 
[[Category:Authentication]]
 

Revision as of 23:13, 21 April 2024

Learning Management Systems (LMS) like Blackboard, Moodle, Canvas, and BrightSpace's Desire2Learn all support a protocol called Learning Tools Interoperability (LTI) which can be used to connect learning tools like WeBWorK to the LMS in a standardized fashion.

This page documents how to setup LTI authentication for WeBWorK 2.18 and beyond. For prior versions of WeBWorK see https://webwork.maa.org/wiki/LTI-Advanced_Authentication.

LTI Authentication

Before you can use WeBWorK's LTI features you need to do some initial setup. This will need to be done by a system administrator and in particular often requires administrator access to both WeBWorK and your Learning Management System.

First Time WeBWorK Setup

Start by making a copy of the distribution configuration file needed with the following command.

cp /opt/webwork/webwork2/conf/authen_LTI.conf.dist /opt/webwork/webwork2/conf/authen_LTI.conf

In localOverrides.conf uncomment the line that reads #include("conf/authen_LTI.conf"); by removing the # from the beginning of the line.

Now determine which version of LTI you will be using, either LTI 1.1 or LTI 1.3. Note that both versions can be used by one WeBWorK server for different courses if needed.

If you will be using LTI 1.1, then uncomment the line in authen_LTI.conf that reads #include('conf/authen_LTI_1_1.conf'); by removing the # from the beginning of the line and copy the LTI 1.1 distribution configuration file with

cp /opt/webwork/webwork2/conf/authen_LTI_1_1.conf.dist /opt/webwork/webwork2/conf/authen_LTI_1_1.conf

If you will be using LTI 1.3, then uncomment the line in authen_LTI.conf that reads #include('conf/authen_LTI_1_3.conf'); by removing the # from the beginning of the line and copy the LTI 1.3 distribution configuration file with

cp /opt/webwork/webwork2/conf/authen_LTI_1_3.conf.dist /opt/webwork/webwork2/conf/authen_LTI_1_3.conf

Note that all WeBWorK LTI configuration variables that do not have a $LTI{v1p?} prefix are in the authen_LTI.conf file, and are used by both versions of LTI. All variables that have the $LTI{v1p1} prefix are in the authen_LTI_1_1.conf file, and are only used by LTI 1.1. All variables that have the $LTI{v1p3} prefix are in the authen_LTI_1_3.conf file, and are only used by LTI 1.3.

The followed are the variables defined in authen_LTI.conf. Some of these are described in more detail later in this document.

  • $debug_lti_parameters: Set this to 1 to enable debugging. Getting LTI authentication set up can be tricky, and this can with troubleshooting the issues. Note that for LTI 1.1 most of these messages are displayed in the browser, but for LTI 1.3 you will need to inspect the logs/webwork2.log file to see the error messages. Make sure to set this back to 0 for production use.
  • $debug_lti_grade_passback: Set this to 1 to get debugging information when using grade pass back. As with the previous option, the messages for LTI 1.1 are displayed in the browser, but most LTI 1.3 messages will be in the logs/webwork2.log file. Make sure that this is also set to 0 for production use.
  • $authen{user_module}: This is a list of authentication modules in the order that they will be considered when a request is received by WeBWorK. Usually you will not need to modify this from the default values.
  • $authen{admin_module}: This is a list of authentication modules tha are allowed for signing in to the admin course. By default only "WeBWorK::Authen::Basic_TheLastOption" is allowed, which means that only username and password sign in is allowed. If you want to allow signing in to the admin course via LTI, then you can uncomment "WeBWorK::Authen::LTIAdvantage" (for LTI 1.3) or "WeBWorK::Authen::LTIAdvanced" (for LTI 1.1). This is not recommended.
  • $LTIVersion: Set this to the LTI version that the courses on your server will be using. This is either "v1p1" for LTI version 1.1, or "v1p3" for LTI version 1.3. This can also be set in a course's course.conf file to make a course use a different LTI version than the site wide default.
  • $LTIAccountCreationCutoff: WeBWorK will automatically create users when logging in via the LMS for the first time for users with a permission level below what this is set to. This is set to "ta" by default.
  • $LMSManageUserData: If set to 1 (the default setting), then WeBWorK's user demographic data will be kept up to date with the data from the LMS.
  • $external_auth: If set to 1, then the username and password fields will not be displayed on the WeBWorK login page. Instead a message will be shown informing users to sign in via the LMS. This is set to 0 by default.
  • $LTIGradeMode, $LTIGradeOnSubmit, $LTICheckPrior, and $LTIMassUpdateInterval: These are for grade passback. Details on these will be given later in this document.
  • @LTIConfigVariables: If any of the listed variables are uncommented, then an "LTI" tab will be available on the "Course Configuration" page in courses. The settings for the uncommented variables can be changed for an individual course by the instructor in that tab.

Next follow the instructions for the LTI versions that will be used by your server below.

LTI 1.3 Setup

LTI 1.3 LMS Configuration

First the LMS needs to be configured to use LTI 1.3 authentication. Follow the instructions for your LMS below.

Moodle

Set the external tool configuration settings as shown in the screen shots below. Make sure to change https://webwork.yourschool.edu to the URL for your webwork2 server. You can use a different "Tool name" and add a "Tool description" that is appropriate for you. Note that the "Content Selection URL" is needed for version 4.02 or newer of Moodle in order for instructors to add WeBWorK assignment links to their courses. Make sure to follow the instructions for this later in this document. Older versions of Moodle allow manual link creation.

MoodleToolSettings.png

MoodleServices.png

MoodlePrivacy.png

View the configuration details for the external tool that is created after saving the changes by clicking on the list icon in the top right corner of the created tool. It will look something like the following screenshot. Save these details for the WeBWorK configuration later.

MoodleConfigurationDetails.png

The shown values in the order shown will be the values for the variables $LTI{v1p3}{PlatformID}, $LTI{v1p3}{ClientID}, $LTI{v1p3}{DeploymentID}, $LTI{v1p3}{PublicKeysetURL}, $LTI{v1p3}{AccessTokenURL}, and $LTI{v1p3}{AuthReqURL}, respectively, in the authen_LTI_1_3.conf file. The "Access token URL" will also be the value for the $LTI{v1p3}{AccessTokenAUD} variable.

Canvas

First, a user that has admin privileges in Canvas must create a developer key. On the developer keys page click "+ Develop Key" and select "LTI Key". Set the key settings as shown in the following screen shots. Make sure to change https://webwork.yourschool.edu to the URL of your server. You can use a "Key Name", "Title", and "Description" that are appropriate for you.

CanvasKeySettings.png

Note that some of the following services may not be needed, but I am not sure which ones are so just check them all!

CanvasServices.png

Under "Additional Settings" add the "Domain" of your WeBWorK server and make sure the "Privacy Level" is set to "PUBLIC".

CanvasAdditionalSettings.png

Add the "Assignment Selection" placement as shown below if you want to be able to utilize content selection. You can remove any other placements. WeBWorK does not support any of the others at this time.

CanvasPlacements.png

After saving the developer key you will see the following. Make note of the long number above the "Show Key" button in the details column. That is the client id which will be needed in the next step and will be the value for the $LTI{v1p3}{ClientID} in the WeBWorK authen_LTI_1_3.conf file.

CanvasDeveloperKeyDetails.png

Now go to "Settings" and select the "Apps" tab. Click on "+ App" and select "By Client ID" for the "Configuration Type". Enter the client id from above as shown below. Then click "Submit".

CanvasAddApp.png

After submitting Canvas will return to the "Apps" tab in "Settings". Find the app you just created and click on the gear icon drop down menu to the right. Select "Deployment ID" and save the deployment ID that is shown. This will be the value for the $LTI{v1p3}{DeploymentID} in the WeBWorK authen_LTI_1_3.conf file.

The other variables that will need to be set in the authen_LTI_1_3.conf file are as follows:

  • $LTI{v1p3}{PlatformID}: Either 'https://canvas.instructure.com' or 'https://yourschool.instructure.com' (It is not known at the time of this writing which this will need to be in production.)
  • $LTI{v1p3}{PublicKeysetURL}: 'https://yourschool.instructure.com/api/lti/security/jwks'
  • $LTI{v1p3}{AccessTokenURL}: 'https://yourschool.instructure.com/login/oauth2/token'
  • $LTI{v1p3}{AccessTokenAUD}: 'https://yourschool.instructure.com/login/oauth2/token'
  • $LTI{v1p3}{AuthReqURL}: 'https://yourschool.instructure.com/api/lti/authorize_redirect'

Brightspace (D2L)

A post about LTI 1.3 for Brightspace (D2L) appears at https://sukhjitsehra.github.io/webwork-2.18/.

LTI 1.3 WeBWorK Configuration

Now configure WeBWorK for LTI 1.3 authentication.

In the authen_LTI_1_3.conf file set the LTI 1.3 basic authentication parameters $LTI{v1p3}{PlatformID}, $LTI{v1p3}{ClientID}, $LTI{v1p3}{DeploymentID}, $LTI{v1p3}{PublicKeysetURL}, $LTI{v1p3}{AccessTokenURL}, $LTI{v1p3}{AccessTokenAUD}, $LTI{v1p3}{AuthReqURL} to the values found in the LMS configuration above.

Set $LTIVersion = 'v1p3'; in authen_LTI.conf. You may instead set this in the course.conf files of the courses that you want to use LTI 1.3 for, leave $LTIVersion = 'v1p1'; in authen_LTI.conf if most of the courses on your server will be using LTI 1.1.

There are some other options that can be set as well. Some of these are discussed in more detail in other sections of this document.

  • $LTI{v1p3}{LMS_name}: This is a string that is used to name the LMS for end users. It is used in messages displayed for users by WeBWorK.
  • $LTI{v1p3}{LMS_url}: This is a URL that should take users to a place they can log in to their LMS. It is also used in messages displayed for users by WeBWorK together with the LMS_name above.
  • $LTI{v1p3}{preferred_source_of_username}: When a user logs into WeBWorK from the LMS WeBWorK needs to determine the username of the person logging in. This determines which parameter sent from the LMS to use for the WeBWorK username. This is "email" by default, but can be set to any parameter included in the JWT sent from the LMS that uniquely identifies users.
    • You can set $debug_lti_parameters = 1 in authen_LTI.conf to help find which parameter to use for this.
    • If this variable is set to "email", then by default the entire email address is used. If you don't want to use the entire email address you can also set $LTI{v1p3}{strip_domain_from_email} = 1 and WeBWorK will remove the domain name from the email address when creating the username.
  • $LTI{v1p3}{fallback_source_of_username}: If the parameter set for $LTI{v1p3}{preferred_source_of_username} is not present in the JWT sent from the LMS, then the parameter set for this variable will be used instead if it is present in the JWT. This is not set by default.
  • $LTI{v1p3}{lowercase_username}: If set to 1, then all usernames (as determined by the options above) will be converted to lowercase.
  • $LTI{v1p3}{preferred_source_of_student_id}: The parameter sent from the LMS to use for the WeBWorK student id. This is optional and is not set by default.
    • You can set $debug_lti_parameters = 1 in authen_LTI.conf to help find which parameter to use for this.
  • $LTI{v1p3}{StateKeyLifetime}: When the WeBWorK responds to an initial LMS request it includes state and nonce values in that request. These values are saved in the database until the response from the LMS to that request is received. This variable controls how long in seconds this data will be saved in the database before it is considered stale and deleted. It should be short enough to accomodate normal server and networking delays. Note that if authentication is successful this will be deleted before this lifetime expires in any case. This is only to ensure that keys from failed authentication attempts don't pile up in the database.
  • $LTI{v1p3}{LMSrolesToWeBWorKRoles}: This is a mapping of roles used by the LMS to WeBWorK roles. Add roles to this if your LMS uses a role that is not present in the mapping already.
  • $LTI{v1p3}{modify_user}: This can be set to a routine that can modify the student id and other user data when a user signs in from the LMS.
  • $LTI{v1p3}{modify_user_set}: When users are added to the system they are also assigned all visible sets. This can be set to a routine that can modify the sets before they are assigned.

LTI 1.1 Setup

LTI 1.1 WeBWorK Configuration

In authen_LTI_1_1.conf set $LTI{v1p1}{BasicConsumerSecret}. This acts like a global password and is used to authenticate all communication between WeBWorK and the LMS. So pick something secure.

Set $LTIVersion = 'v1p1'; in authen_LTI.conf (this is the default setting). You may instead set this in the course.conf files of the courses that you want to use LTI 1.1 for, and set $LTIVersion = 'v1p3'; in authen_LTI.conf if most of the courses on your server will be using LTI 1.3.

There are some other options that can be set as well. Some of these are discussed in more detail in other sections of this document.

  • $LTI{v1p1}{LMS_name}: This is a string that is used to name the LMS for end users. It is used in messages displayed for users by WeBWorK.
  • $LTI{v1p1}{LMS_url}: This is a URL that should take users to a place they can log in to their LMS. It is also used in messages displayed for users by WeBWorK together with the LMS_name above.
  • $LTI{v1p1}{preferred_source_of_username}: When a user logs into WeBWorK from the LMS WeBWorK needs to determine the username of the person logging in. This determines which parameter sent from the LMS to use for the WeBWorK username. This can be lis_person_sourcedid, lis_person_contact_email_primary (the default), or another parameter sent from the LMS that uniquely identifies users. This setting is required.
    • If this variable is set to "lis_person_sourcedid" then the sourced_id will be used as the WeBWorK username. Note: The LMS may not provide this parameter, and if it is provided it is usually an obscure identifier that is likely not a good choice for a username.
    • If this variable is set to "lis_person_contact_email_primary" then the email address provided by the LMS will be used for the WeBWorK username.
      • By default the entire email address is used. If you don't want to use the entire email address you can also set $LTI{v1p1}{strip_domain_from_email} = 1 and WeBWorK will strip off the server portion of the email address when creating the username.
    • You can set $debug_lti_parameters = 1 in authen_LTI.conf to help find which parameter to use for this.
  • $LTI{v1p1}{fallback_source_of_username}: If the parameter set for $LTI{v1p1}{preferred_source_of_username} can not be found, then the parameter set for this variable will be used instead if it can be found in the parameters. This is not set by default.
  • $LTI{v1p1}{lowercase_username}: If set to 1, then all usernames (as determined by the options above) will be converted to lowercase.
  • $LTI{v1p1}{preferred_source_of_student_id}: The parameter sent from the LMS to use for the WeBWorK student id. This is optional and is not set by default.
    • You can set $debug_lti_parameters = 1 in authen_LTI.conf to help find which parameter to use for this.
  • $LTI{v1p1}{NonceLifeTime}: When the LMS sends a user to WeBWorK it makes a request identified by a "Nonce". This variable controls how long the Nonce is valid, in seconds, from the time it is created by the LMS. It should be short enough to prevent "casual" man-in-the-middle attacks. However, you may need to set it to something longer if your servers/network are slow or if the clocks on your servers are not synced.
  • $LTI{v1p1}{OverrideSiteURL}: When the authentication request is being validated WeBWorK will check to see if the address that the user clicked in in the LMS is the same as the address of the WeBWorK server. If you have a load balancing system where the WeBWorK server address may not be the same as the address the student clicked on in the LMS then you may need to set this variable to the address in the LMS.
  • $LTI{v1p1}{OverrideSiteProtocolDomain}: This is similar to the $LTI{v1p1}{OverrideSiteURL} except that only the protocol (http or https) and host name portion of the URL given here are substituted for the protocol and host name of the request, leaving the URL path in the request the same.
  • $LTI{v1p1}{modify_user}: This can be set to a routine that can modify the student id and other user data when a user signs in from the LMS.
  • $LTI{v1p1}{modify_user_set}: When users are added to the system they are also assigned all visible sets. This can be set to a routine that can modify the sets before they are assigned.

LTI 1.1 LMS Configuration

Next you need to configure your LMS. In general you will need to provide the LMS the following things:

  • The address of your WeBWorK server. Note: The address here needs to exactly match the address of your webwork server as defined in site.conf, i.e., it should be the combination of $server_root_url and $webwork_url
  • The "Tool Provider Key" or "Consumer Key". This is just some made up word, like "webwork" or "smargleborg".
  • The "Tool Provider Secret" or "Consumer Secret". This is the password used to identify the LMS to your WeBWorK site (and vice versa) and should be the same as $LTI{v1p1}{BasicConsumerSecret}.
  • What user information is submitted to WeBWorK.

The specifics in setting up the LMS vary depending on which LMS you use. Instructions for Blackboard, Moodle, Canvas, and BrightSpace's Desire2Learn are below. An instructor can perform these instructions at the course level, and this will apply to only that course, or an LMS administrator can do this at the system level so that it applies to all courses on the system.

You can also try to have the LMS provide section or recitation information by setting a custom parameter. In all of the configurations there is a "Custom Fields" section. You would specify "section = #" or "recitation = #" to set the section or recitation.

Blackboard

Blackboard-lti-setup.png

  1. In the Administrator Panel (under Building Blocks) click LTI Tool Providers and then Register Provider Domain
  2. Input the address of the WeBWorK server in Provider Domain
  3. Use Set Globally for Default configuration and input the Tool Provider Key (any word, e.g. webwork) and the Tool Provider Secret ($LTI{v1p1}{BasicConsumerSecret})
  4. Enable Send User Data. (Restricting to ssl is safer if you have https enabled.) Then enable all three user fields.

Moodle

Moodle-lti-setup.png

  1. Go to Site administration > Plugins > Activity modules > LTI > Manage external tool types and click "Add External Tool Configuration"
  2. Input the Tool Name and the WeBWorK server address as the Tool Base URL
  3. Input the Consumer Key (any word e.g. webwork) and the Shared Secret ($LTIBasicConsumerSecret).
  4. In Privacy set both "Share" configurations to "Always". If you have https available its safer to also enable "Force SSL".

Canvas

Canvas-lti-setup.png

  1. Go to Settings > Apps > View App Configurations > Add App
  2. Choose "Manual Entry" for configuration type.
  3. The "Launch URL" is the url of the course and can be left blank. The "Domain" is just the server address
  4. Input the Consumer Key (any word, e.g., webwork) and the Shared Secret ($LTI{v1p1}{BasicConsumerSecret}).
  5. You should set "Privacy" to "Public".

Warning: Canvas does not copy the consumer key and consumer secret when course content is copied to a new course. Those values need to be set again manually for the new course.

BrightSpace Desire2Learn (D2L)

This assumes that you will be using the email address stored in D2L (or just the first part of the email address) as the username in WeBWorK. Currently this is the only supported format when linking with D2L, as D2L does not send the user ID using the same convention as other Learning Management Systems. So you will need to set $LTI{v1p1}{preferred_source_of_username} = "lis_person_contact_email_primary"; in authen_LTI_1_1.conf in order for these instructions to work. If you prefer to use only the first part of the email address as the username in WeBWorK, then you should also set $strip_address_from_email = 1;.

  1. Navigate to the Manage External Tools page (as an instructor, this can be found as follows. Go to the Content Browser. Within a content area, click on the "Add Existing Activities" drop-down, and choose "External Learning Tools", then click on "Manage External Tools" at the bottom.
  2. Click on "Manage Tool Providers" at the top.
  3. Click on "New Tool Provider", and fill in the following values:
Launch Point The full url of your webwork server. Typically something like https://webwork.yourschool.edu/webwork2
Secret A random string that must match the variable $LTI{v1p1}{BasicConsumerSecret} set in authen_LTI.conf
Tool consumer information Check the box "Use custom tool consumer information instead of default"
Key Can be any string, but do not leave blank.
Name Optional
Description Optional
Contact Email Optional
Visibility Click "Allow users to use this tool provider"
Security settings Check the following:

"Send user ID to tool provider" "Send user email to tool provider" "Send system role to tool provider"

Make tool provider available to You can choose which courses or organizational units can use this tool. Note that courses not selected here would still be able to create WeBWorK links, but they would have to be set up manually

Adding Links To WeBWorK

Once you have set up your WeBWorK configuration files and added WeBWorK as an LTI Tool to your LMS you will need to make a link/assignment in the LMS that students can use to get to WeBWorK. This needs to be done in every LMS course which uses WeBWorK. The process for this varies depending on what LMS you are using. Instructions for Moodle, Blackboard, Canvas, and BrightSpace's Desire2Learn are below.

It is usually best to have WeBWorK open in a new window. There are usually settings you can set when creating a link/assignment in the LMS which will control this.

Blackboard

Blackboard-lti-link.png

  1. Go to Content > Build Content > (Create) Web Link
  2. Add a Name for your link and the URL of the WeBWorK course or assignment that you are linking to. The URL structure is either https://webwork.yourschool.edu/webwork2/coursename or https://webwork.yourschool.edu/webwork2/coursename/assignmentname.
  3. Check "This link is a Tool Provider"*
  • You may need to enable "LTI" in Customization => Tool Availability if the checkbox for "This link is a Tool Provider" is not shown

Moodle

The documentation is here. A screenshot and basic instructions follow.

Moodle-lti-link.png

  1. Go to a Course, Turn "Editing" on, and click "Add an activity or resource".
  2. Choose "External Tool" and click "Add".
  3. Pick an activity name and add the URL for a WeBWorK course or assignment. The URL structure is either https://webwork.yourschool.edu/webwork2/coursename or https://webwork.yourschool.edu/webwork2/coursename/assignmentname.

Canvas

The documentation is here. A screenshot and basic instructions follow.

Canvas-lti-link.png

  1. Go to your Course, then Assignments, then add an assignment.
  2. Select "External Tool" for Submission type.
  3. Input the URL of the WeBWorK course or assignment that you are linking to. The URL structure is either https://webwork.yourschool.edu/webwork2/coursename or https://webwork.yourschool.edu/webwork2/coursename/assignmentname.

BrightSpace Desire2Learn (D2L)

  1. Navigate to the content area in your D2L course where you would like the link to reside.
  2. From the "Add Existing Activities" menu, select "External Learning Tools".
  3. Click "Manage External Tools"
  4. Click the New Link button
  5. Under "Title", fill in whatever text you would like to see for the link in D2L
  6. For URL, enter the URL to the course or the assignment, typically either https://webwork.yourschool.edu/webwork2/coursename or https://webwork.yourschool.edu/webwork2/coursename/assignmentname
  7. Check "Allow users to view this link"
  8. For Key/Secret, check "Sign messages with key/secret with", and select "Tool consumer key secret"
  9. For Security Settings, select "Use tool provider security settings"

Automatic Student Account Management

WeBWorK can be configured to automatically manage and create student accounts in WeBWorK. In particular if a student does not have an account in WeBWorK, then the first time they log in a WeBWorK account will be created for them. The username will be determined by $LTI{v1p?}{preferred_source_of_username} (see above for the details) and they will automatically be assigned all "visible" homework sets.

Now you should be all set up. You can test it out by creating a test student in your LMS and using the link to log into WeBWorK from the LMS. Logging into WeBWorK in this way should not require a password, the WeBWorK user for the student should be automatically created, and the user should also automatically be assigned all "visible" homework sets. In particular you should keep the following in mind about automatic account creation.

  • Students created when signing in via LTI authenticaiton will not have a password. In particular they will not be able to sign into WeBWorK directly. The variable $external_auth is set to 0 by default, and the username and password fields are displayed on the WeBWorK login page. This can be confusing to students, since they still will not be able to sign in. So you may want to change $external_auth to 1. In that case the username and password fields will not be displayed on the WeBWorK login page, and instead a message will be shown that directs users to login through the LMS (the $LTI{v1p?}{LMS_name} and $LTI{v1p?}{LMS_url} variables are used for this).
  • On the other hand setting $external_auth = 1; prevents ALL users from signing into WeBWorK directly including instructors and TAs. For this reason you may want to set $external_auth = 0; to allow direct sign in to WeBWorK. Students still will not be able to sign in to webwork directly unless a password is created for them. So it will be necessary to inform them that they can only log in to WeBWorK through the LMS, and that the username and password fields on the login page will not work for them.
  • Note that if $external_auth is set to 1, then you may also want to set $permissionLevels{change_password} = 'ta' to prevent students from changing passwords (since they usually can't be used anyway).
  • Accounts with a permission level of TA or higher are not automatically created by default for security reasons. So you will have to add your TA's and other professors manually. The parameters that control account creation are:
    • $LMSManageUserData: WeBWorK will try to keep your student's data up to date with the LMS if this flag is on. Student data doesn't change much so you could turn it off with relatively few side effects.
      • If you enable this feature then you should not let students change their email address, since their changes will constantly be overwritten. To do that set $permissionLevels{change_email} = "ta";.
      • If you use a $LTI{v1p?}{LTI_modify_user} subroutine then you should turn this feature off.
    • $LTIAccountCreationCutoff: Users with permission levels at or above this value are not automatically created. It is set to 'ta' by default. You will need to manually add users at or above this value to a course before they can log in via the LMS. If you want to allow professors to be created automatically set this variable to 'professor'. If you want to turn off the account creation feature set this variable to 'guest' or 'student'.
    • $LTI{v1p?}{LMSrolesToWeBWorKroles}: If your LMS uses roles not listed in this hash you will need to add those roles so that users get the right WeBWorK permission level.
    • $LTI{v1p?}{LTI_modify_user}: This is a subroutine which you can use to modify a newly created user before they are actually added to WeBWorK. You would use this if you wanted to, for example, analyze the LTI context parameter for a section number and set the student's section, or create a random string which you set as the student ID and the students password. There are example subroutines in the authen_LTI_1_1.conf and authenLTI_1_3.conf files.
    • $LTI{v1p?}{LTI_modify_set}: This is a subroutine which you can use to modify newly created sets before they are assigned to users. You would use this if you wanted to, for example, modify the due date of the set before it is assigned, adding extra days based on the number of sets assigned. There are example subroutines in the authen_LTI_1_1.conf and authenLTI_1_3.conf files.

Additional Authentication Setups

If your LMS uses an LDAP system for authentication you can set WeBWorK to also use LDAP authentication (see LDAP Authentication). This will allow students to log into WeBWorK using their LDAP/LMS credentials (once their account is created in WeBWorK). To do this you should first comment out the following lines in authen_ldap.conf

#$authen{user_module} = {
#    "*" => "WeBWorK::Authen::LDAP",
#};

In authen_LTI.conf you should change the definition of $authen{user_module} to

$authen{user_module} = [
    { '*' => 'WeBWorK::Authen::LTIAdvantage' },          # first try LTI 1.3
    { '*' => 'WeBWorK::Authen::LTIAdvanced' },           # next try LTI 1.1
    { '*' => 'WeBWorK::Authen::LDAP' }                   # fallback authorization method
];

You should also make sure that $external_auth is set to 0.

Use Different LTI Configurations for Courses

Configure WeBWorK to use LTI as directed above. Then add any of the configuration variables defined in authen_LTI.conf, authen_LTI_1_1.conf, or authen_LTI_1_3.conf to the end of a course's course.conf file to use different values for this course than the site wide settings.

Grade Pass-back

There is an optional subsystem for allowing WeBWorK to pass grades back to the LMS. You can read more about that at LTI-Advanced Grading