LTI Authentication (for WeBWorK 2.17 or older)

From WeBWorK_wiki
Revision as of 13:52, 31 March 2016 by Geoff Goehle (talk | contribs)
Jump to navigation Jump to search

Note: This documentation is for a feature scheduled for release in WeBWorK version 2.12

Learning Management Systems (LMS) like Blackboard, Moodle and Canvas all support a protocol called Learning Tools Interoperability (LTI) which can be used to connect learning tools like WeBWorK to the LMS in a standardized fashion. The most common version is 1.2 and is supported by Blackboard, Moodle, Canvas, and others. WeBWorK has previously supported LTI based authentication through the LTIBasic module. That module has been rewritten to include a fuller range of features, including the ability to pass back grades. This guide includes instructions for the initial configuration and authentication parameters supported by LTIAdvanced. You can read about the grade passback features at LTI-Advanced Grading.

First Time Setup

WeBWorK Setup

Before you can use WeBWorK's LTI features you need to do some initial setup. This will need to be done by a system administrator and in particular often requires administrator access to both WeBWorK and your Learning Management System. All of the configuration for WeBWorK is done in the authen_LTI.conf file located in the webwork2/conf directory. First you should copy authen_LTI.conf.dist to authen_LTI.conf. Then you need to uncomment the line

   #include("conf/authen_LTI.conf");

in localOverrides.conf. Now there are some things you will need to do in authen_LTI.conf. The only thing you must set is the LTI Consumer Secret. This acts like a global password and is used to authenticate all communication between WeBWorK and the LMS. So pick something reasonably complicated.

   $LTIBasicConsumerSecret = ""; #This must be set 

There are some other options that can be set as well. I'll go through them in order of most things you will most likely need to think about to less likely.

  • $debug_lti_parameters - Getting things set up for the first time can be tricky and the error messages are kept vague by default (for security). Set this flag to 1 to have WeBWorK split out a lot more information about the LTI authentication process. This can be a big help with troubleshooting.
  • $NonceLifeTime - When the LMS sends a user to WeBWorK it makes a request identified by a "Nonce". This variable controls how long the Nonce is valid, in seconds, from the time it is created by the LMS. It should be short enough to prevent "casual" man-in-the-middle attacks. However, you may need to set it to something longer if your servers/network are slow or if the clocks on your servers are not synced.
  • $preferred_source_of_username - When a user logs into WeBWorK from the LMS WeBWorK needs to determine the username of the person logging in. The default is to use the email address of the student logging in as their user name. This is because many/most LMS do not actually provide a traditional username (also called a "sourcedid"). This variable controls if the email or the sourcedid is used as the username for the student in WeBWorK.
    • If this variable is set to "lis_person_sourcedid" then the sourcedid is used as the WeBWorK username. Note: Many LMS do not provide this parameter.
    • If this variable is set to "lis_person_contact_email_primary" then webwork will use the entire email address as the username. If you don't want to use the entire email address you can also set $strip_address_from_email=1 and WeBWorK will strip off the server portion of the email address when creating the username.
  • $LTIBasicToThisSiteURL - When the authentication request is being validated WeBWorK will check to see if the address that the user clicked in in the LMS is the same as the address of the WeBWorK server. If you have a load balancing system where the WeBWorK server address may not be the same as the address the student clicked on in the LMS then you will need to set this variable to the address in the LMS.

LMS Setup

Next you need to set up your LMS. In general you will need to provide the LMS the following things:

  • The address of your WeBWorK server.
  • The "Tool Provider Key" or "Consumer Key"; this is just some made up word, like "webwork" or "smargleborg".
  • The "Tool Provider Secret" or "Consumer Secret"; this is the password used to identify the LMS to your WeBWorK site (and vice versa) and should be the same as $LTIBasicConsumerSecret
  • What kind of user information is provided to WeBWorK.

The specifics in setting up the LMS vary depending on what LMS you use. I've posted links to setup instructions for Blackboard, Moodle and Canvas below. Note, when the instructions refer to the "LTI" or "Tool", that is WeBWorK.

Blackboard

The basic instructions are here.

Blackboard-lti-setup.png

1. In the Administrator Panel (under Building Blocks) click LTI Tool Providers and then Register Provider Domain 2. Input the address of the WeBWorK server in Provider Domain 3. Use Set Globally for Default configuration and input the Tool Provider Key (any word, e.g. webwork) and the Tool Provider Secret (e.g.$LTIBasicConsumerSecret) 4. Enable Send User Data. (Restricting to ssl is safer if you have https enabled.) Then enable all three user fields.


   Moodle:  The basic instructions are here. 
       Go to Site administration > Plugins > Activity modules > LTI > Manage external tool types and click "Add External Tool Configuration"
       Input the Tool Name and the WeBWorK server address as the Tool Base URL
       Input the Consumer Key (any word e.g. webwork) and the Shared Secret (e.g. $LTIBasicConsumerSecret). 
       In Privacy set both "Share" configurations to "Always".  If you have https available its safer to also enable "Force SSL".  
   Canvas:  The basic instructions are here. 
       Go to Settings > Apps > View App Configurations > Add App
       Choose "Manual Entry" for configuration type. 
       The "Launch URL" is the url of the course and can be left blank.  The "Domain" is just the server address
       Input the Consumer Key (any word e.g. webwork) and the Shared Secret (e.g. $LTIBasicConsumerSecret). 
       You should set "Privacy" to "Public". 

A couple of other things to think about:

   Its usually best to have WeBWorK open in a new window.  There are usually settings you can set which will control this.  However feel free to experiment with other settings until you find a mode you like. 
   If you want to get fancy you can also try to have the LMS provide section or recitation information by setting a custom parameter.  In all of the configurations there is a "Custom Fields" section.  You would specify "section = #" or "recitation = #" to set the section or recitation.

Adding Links To WeBWorK Once you have set up your WeBWorK configuration files and added WeBWorK as an LTI Tool to your LMS you will need to make a link/assignment in the LMS that students can use to get to WeBWorK. Again, the process for this varies depending on what LMS you are using. I'll describe the process for Moodle, Blackboard and Canvas.

   Blackboard:  Some basic instructions are here. 
       Go to Conent > Build Content > (Create) Web Link
       Add a Name for your link and the URL of the course you are linking to.  You can get the url using "copy link location" on the link to the course in the main WeBWorK page.  Alternatively the url structure is:
       http://webwork.server.edu/webwork2/CourseName
       Check "This link is a Tool Provider"
   Moodle: Some basic instructions are here. 
       Go to a Course, Turn "Editing" on, and click "Add an activity or resource".
       Choose "External Tool" and click "Add".
       Pick an activity name and add the URL of the course you are linking to.  You can get the url using "copy link location" on the link to the course in the main WeBWorK page.  Alternatively the url structure is:
       http://webwork.server.edu/webwork2/CourseName
   Canvas:  Some basic instructions are here. 
       Go to your Course, then Assignments, then add an assignment. 
       Select "External Tool" for Submission type. 
       Input the URL of the course you are linking to.  You can get the url using "copy link location" on the link to the course in the main WeBWorK page.  Alternatively the url structure is:
       http://webwork.server.edu/webwork2/CourseName

There are other places where you can add the link to WeBWorK. Depending on your LMS you can add also add the link to the available "modules" or in the "navigation bar". Consult the documentation for your LMS for more details. Logging In and Creating Students Now you should be all set up. You can test it out by creating a test student in your LMS and using the link to log into the LMS from WeBWorK. The log into WeBWorK should not require a password, the WeBWorK user for the student should be automatically created, and the user should also automatically be assigned all "visible" homework sets. (The warnings in the above image are the output created by the $debug_lti_parameters flag.) When a user logs into WeBWorK for the first time a WeBWorK user is automatically created for them. This can save a lot of work in setting up your WeBWorK class. There are a few features/quirks of this process that should be mentioned.

   Students created via the LMS will not have neither a student id nor an initial password.  In particular they will not be able to log into WeBWorK directly.  The $external_authentication flag is set to one by default and actually prevents them from seeing the WeBWorK login page.  They will need to log in via the LMS unless you get fancy. 
   Accounts with a permission level of TA or higher are not automatically created by default for security reasons.  So you will have to add your TA's and other professors manually. 
   Students created via the LMS are assigned all visible sets.  However, the due dates of these sets are not adjusted to take late registrations into account unless you get fancy. 
   You can define the local routines which can be used to modify newly created users and newly assigned sets.  For example, you can give newly created users a random student_id/password or you can alter the due dates of a student depending on how late they register.

Automatic Student Account Management

$LMSManageUserData - WeBWorK will try to keep your student's data up to date with the LMS if this flag is on. Student data doesn't change much so you could turn it off with relatively few side effects. You can also set custom "local functions" in authen_LTI.conf which customize users before they are created (and sets before they are assigned to users). If you do that then you should definitely turn this variable off.

$LTIAccountCreationCutoff - For security reasons users with permission levels of ta or higher are not automatically created. In other words you will need to manually add professor users to a course before they can log in via the LMS. If you want to allow professors to be created automatically set this variable to 'professor'.

%LMSrolesToWeBWorKroles - If your LMS uses roles not listed in this hash you will need to add those roles so that users get the right WeBWorK permission level.


Additional Authentication Setups

Grade Passback