WeBWorK Main Forum

Canvas LTI and faculty/student experiences

Canvas LTI and faculty/student experiences

by Nick Harvey -
Number of replies: 18
Hello,
Here at James Madison University we currently use WeBWork and Canvas and are preparing to implement the LTI for single sign-on and grade passback. I am running into some challenges, however, with how some business processes will change as a result. Two in particular are of concern at the moment:

1. Currently, students and faculty can log into WeBWork directly, but with the new LTI, we want to disable the LDAP option. We feel that having all enrollment and course access managed through Canvas and the LTI, and having the LTI auto-create and auto-assign users, is a big benefit. However, we are concerned about faculty perceiving it as a major hurdle to constantly have to log in to Canvas, find the course and assignment, and click through that way to manage their WeBWork courses. From what I understand, LDAP login is all or nothing; if we turn it off for students, it's also off for faculty. How are others managing this? Is it just a relatively painless learning curve for faculty?

2. When students request help from a faculty member, the URL that is emailed contains a direct deep link to the WeBWork assignment. How are other schools handling this with the LTI, if external auth is required? Are you rewriting the URL or redirecting somehow?

Thanks,
Nick Harvey
James Madison University
In reply to Nick Harvey

Re: Canvas LTI and faculty/student experiences

by Andras Balogh -
Hi Nick,

I have no answer to your questions, but may I ask why you want to disable LDAP?

Andras
In reply to Andras Balogh

Re: Canvas LTI and faculty/student experiences

by Nick Harvey -
We want to disable LDAP because one of the issues we're running into is that sometimes students are removed from the course in Canvas but are still able to log into the WeBWork course. Only being able to log in via LTI would remove that possibility. Also if a student has not clicked the course assignment link in Canvas yet, they will not be added as a student in the course, and their LDAP login won't work.

We feel that having LDAP *and* LTI enabled creates a potentially confusing mixed environment.
In reply to Nick Harvey

Re: Canvas LTI and faculty/student experiences

by Balagopal Pillai -
The default cut off setting for auto account creation via LTI is for ta or below I think. Are you planning to raise it to professor levels?

Regards
Balagopal
In reply to Balagopal Pillai

Re: Canvas LTI and faculty/student experiences

by Nick Harvey -
Yes I have already done so in our test environment. Basically our goal is to remove account management tasks altogether in WeBWork, and let Canvas be the source of the authorization via LTI.
In reply to Nick Harvey

Re: Canvas LTI and faculty/student experiences

by Balagopal Pillai -
Just out of curiosity, how would you then prevent a hypothetical scenario of a rouge professor level account
on canvas (by error or intentional) using LTI to create a
similar professor level account on a particular webwork
course and wiping out everything in that course?
In reply to Balagopal Pillai

Re: Canvas LTI and faculty/student experiences

by Andras Balogh -
>>rouge professor
Good point. I am still in testing process of LTI, and I am surprised to learn that I can create link to any webwork course.
In reply to Andras Balogh

Re: Canvas LTI and faculty/student experiences

by Balagopal Pillai -
See, there is a good reason for that cut off for LTI based account creation at the ta level. LTI config itself doesn't seem to prohibit anybody with LMS access to point to an existing webwork course url. With the default cut off to ta, the worst case is that an unauthorised student webwork account gets created for the course. Professor can discover this and track that user through central IT who manages the LMS. But increasing that LTI account creation cut off well beyond ta may mean that disaster could strike well before the professor discovers the problem!
In reply to Nick Harvey

Re: Canvas LTI and faculty/student experiences

by Michael Gage -
I'd suggest creating faculty accounts manually in WeBWorK -- there would probably not be many. Indeed if the systems administrator is creating a WeBWorK course (to server a course in Canvas) they can specify a given professor for that course and that professor can then configure homework for the course, add other professors and ta's and so forth.

The professors and ta's could log in to WeBWorK directly but the students could not. LDAP is not involved -- the login/passwords are specific to each WeBWorK course.

I'm using that model myself but I'm working with Moodle/WeBWorK not Canvas/WeBWorK. I don't think there would be a significant difference.
I also create a "student" version of my self in Moodle (or Canvas) and login
to WeBWorK that way as well. This gives me a genuine student view of the course which I use for testing that everything works as expected.


In reply to Michael Gage

Re: Canvas LTI and faculty/student experiences

by Omar Hijab -
I'm new to WW so this may be answered elsewhere...

I understand not wanting to allow cut-off above ta level. But what about non-existent courses? Wouldn't it be useful for an instructor account to be auto-created if they add as an external Canvas tool WWserverURL/newcourse? In which case , the WWserver would auto-create the course, and assign the auto-created account as a professor in that course? Of course, the admins would get an email warning this was done.
In reply to Omar Hijab

Re: Canvas LTI and faculty/student experiences

by Alex Jordan -

I am working on something like this. See

https://github.com/openwebwork/webwork2/discussions/1601

I'm slow this summer so if anyone wants to work on it, I say go for it. 


In reply to Alex Jordan

Re: Canvas LTI and faculty/student experiences

by Omar Hijab -
Fantastic, that's great news! I'm handling a new roll-out of WW at my institution, so this will be very welcome...
In reply to Nick Harvey

Re: Canvas LTI and faculty/student experiences

by Alex Jordan -
One more reason to want to turn off LDAP is when a student enters WeBWorK via their LMS, but then times out. With LDAP on, they are taken to WeBWorK's login screen. If their account was created by the LTI from the LMS, they do not have a password, and declare the system broken because non of their user ID/password combinations work. (Well, unless you manually give them a password, which kind of defeats the purpose of the automatic registration.) So when you turn off LDAP, the student gets a clear message they should go back to their LMS.

My answers:

1. At my school, I gave faculty information for how they can turn on/off LDAP within their own course and make their own choice. (This requires giving professor level accounts the ability to edit their course.conf, which is no longer a default ability. Somewhere in localOverrides you can set the permission level for this.)

For the info I gave faculty here, scroll to "Integration with Brightspace": https://spaces.pcc.edu/pages/viewpage.action?pageId=48104599

If you turn off LDAP, there is one issue you will need to work around, which I ran into. I and the other admins could no longer easily get into that instructor's course at all to examine issues they reported. I could not enter it using LDAP, and I had no access to that instructor's course in the LMS.

2. I believe that instructors in this position know they need to enter the course via the LMS. Then they can return to the email and follow the link and (I believe) it takes them inside since they are already authenticated and have not yet timed out.
In reply to Alex Jordan

Re: Canvas LTI and faculty/student experiences

by Michael Gage -
"If you turn off LDAP, there is one issue you will need to work around, which I ran into. I and the other admins could no longer easily get into that instructor's course at all to examine issues they reported. I could not enter it using LDAP, and I had no access to that instructor's course in the LMS."

We work around that here by having our system admin and myself as defacto members with admin privileges in every course . That way we can help out
in emergencies. Since the two of us also have command line access to the server we can insert ourselves as a user with admin privileges whenever necessary, but having us already in the course saves some time.

In reply to Alex Jordan

Re: Canvas LTI and faculty/student experiences

by Andras Balogh -
>> If their account was created by the LTI from the LMS, they do not have a password

I don't understand. If LDAP is working then wouldn't their university password were also working?
In reply to Andras Balogh

Re: Canvas LTI and faculty/student experiences

by Alex Jordan -
In my post, I may have been using some acronyms incorrectly.

But if a student enters our LMS (Desire2Learn) then clicks a link to a WeBWorK section for the first time, their account in the WeBWorK course is created. And at this point, their password field in the WeBWorK database is some meaningless random thing that was generated just for a place holder. At this point, the instructor can assign something for their WeBWorK password from within WeBWorK. And the student can either use it to log in directly to WeBWorK, or go through the LMS (which does not use the user password for authentication.)

But if the instructor does not take that step, the student has no way to know what the random thing is that could be used to log in directly.

An instructor will typically never experience this, because instructor accounts in the WeBWorK course are typically created directly, not by the LTI.


In reply to Alex Jordan

Re: Canvas LTI and faculty/student experiences

by Andras Balogh -
I think what you mean is that you do not have LDAP availability.
In reply to Andras Balogh

Re: Canvas LTI and faculty/student experiences

by Alex Jordan -
What I mean is there is a situation a student can find themselves in, where they have a WeBWorK account, and have already been answering questions etc. in WeBWorK because they access it through their LMS. But they were never assigned a WeBWorK password, so they have no way to log in to WeBWorK aside from via the LMS. They cannot even change their password in WeBWorK, because doing so requires you know your current password. And from their perspective, it is frustrating to have a login/password screen where nothing they try will let them enter.

My understanding is the password one uses to log in to the LMS (or the general college sign-on) is not the same as the password assigned to that user's account in the WeBWorK course. The LMS may not even be using the same password hash that WeBWorK is using. And when a student is authenticated through the LMS, the user's WeBWorK password is irrelevant. When a student's WeBWorK account is created because of the LTI with the LMS, a random string of some sort is used as the password, but nothing will ever actually use that password. And you can never determine what it was anyway because only its hashed value is stored. Am I misunderstanding something in all that?
In reply to Alex Jordan

Re: Canvas LTI and faculty/student experiences

by Michael Fraboni -
You are correct, this is how it works on my setup. I just tell students that they need to access WeBWorK through the LMS. I haven't had much in the way of complaints.