UsingWW: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

My university has recently adopted Canvas. We've been using webwork (current version 2.15) for years and use CAS authentication for students and faculty to log in directly via the webwork site. I am attempting to link a Canvas course to webwork using LTI authorization. Everything worked well except for one small issue. All I had to do was add the following code to the course.conf file:

    include("conf/authen_LTI.conf");

    $LTIBasicConsumerSecret = <complicated secret>;

    $external_auth = 0;

    $permissionLevels{change_password} = "ta";

    $LTI_modify_user = sub {

      <modify user data>;

Then I setup the LTI tool in Canvas and it worked. When a student clicked the link in canvas, they were automatically enrolled and logged into the webwork course. When an instructor clicks the link, they are auto logged in. The one hiccup is that I would like instructors (especially me since I setup all webwork courses for the college) to also be able to log in directly the old fashioned way. (If students are forced to log in through canvas, that is totally fine.) My impression was that the code

    $external_auth = 0;

would allow this, but it appears to just allow the direct log in screen to appear on the webwork site. The CAS username and password no longer work. It seems like the LTI authentication overrides the CAS authorization. Is there a way for me to allow both CAS and LTI authorization simultaneously? Or perhaps there is some other issue I'm not aware of.

One solution I thought of was to simply as me as an instructor to each Canvas course that uses webwork, but it's not the most efficient solution. Another note is that I'm neither the Canvas nor IT admin for my school, so my access is limited.

I did notice the following code in the authen_LTI.conf file:

    $authen{user_module} = [ 
        {  "*" => "WeBWorK::Authen::LTIAdvanced", }, #preferred authorization method
        {  "*" => "WeBWorK::Authen::Basic_TheLastOption",}  #fallback authorization method
    ];

I thought this could be related to my issue, but now the knowledge required is starting to go above my pay grade. The webwork system was setup long before I arrived.

Any help/suggestions would be appreciated. Thanks.

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

by Glenn Rice - Thursday, 22 August 2024, 3:57 PM

To use multiple authentication modules you add them in the appropriate order to the $authen{user_module} list. So if you wanted to use CAS and LTI authentication, then you would use

$authen{user_module} = [
	{ '*' => 'WeBWorK::Authen::LTIAdvanced' },           # First try LTI 1.1
	{ '*' => 'WeBWorK::Authen::CAS' },                   # Next try CAS
	{ '*' => 'WeBWorK::Authen::Basic_TheLastOption' }    # Fallback authorization method
];

Note that you will need to have LTI first in that list. If an LTI authentication request is made from the LMS, then it will do its work to sign the user in. If it is not an LTI authentication request, then it will go to the login page. That is assuming that $external_auth = 0 is set. Usually, you set all of the LTI settings in authen_LTI.conf (including $external_auth and $LTIBasicConsumerSecret). The $authen{user_module} will need to be set in localOverrides.conf somewhere after both authen_LTI.conf and authen_CAS.conf are included in that file. I have not tested any of this, but theoretically it will work. Note that these instructions are for versions of webwork before 2.18, and are not the same for 2.18 or newer.

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

by Jason Terry - Friday, 23 August 2024, 1:42 PM

This seemed to work, thank you! I plan to test this out on a single course for the upcoming fall term. If all goes well, we might implement this globally. At that point, we will need to adjust the global config files. So I may be back for more advice!

Thanks again for the help.

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

by Danny Glin - Thursday, 22 August 2024, 3:58 PM

The $authen{user_module} variable controls which authentication methods should be tried, and the order in which they should be tried, so you probably want

    $authen{user_module} = [ 
        {  "*" => "WeBWorK::Authen::LTIAdvanced", }, #preferred authorization method
        {  "*" => "WeBWorK::Authen::CAS",}  #fallback authorization method
    ];

The one thing to be careful about is where to put this, since the last time the variable is set will determine which authentication modules are used. Since you are using CAS this is probably being set in authen_CAS.conf. It also gets set in authen_LTI.conf, so If you include authen_LTI.conf after you have included authen_CAS.conf, then the version you quoted will be the one that takes effect.

If those are the only two places where it is defined you can make the change in authen_LTI.conf and it will affect any course that uses LTI. Note that course.conf is loaded after any of the site-wide configuration files, so anything set there will overside the settings for the site.

To be completely safe I recommend adding the code block above after all of the includes. If you want to do this for one course then put the block in course.conf after include("conf/authen_LTI.conf");.

If you want LTI and CAS for all courses, then your localOverrides.conf should look something like

    include("conf/authen_CAS.conf");
    include("conf/authen_LTI.conf");
    $authen{user_module} = [ 
        {  "*" => "WeBWorK::Authen::LTIAdvanced", }, #preferred authorization method
        {  "*" => "WeBWorK::Authen::CAS",}  #fallback authorization method
    ];

(possibly with some other settings in between).

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

by Jason Terry - Friday, 23 August 2024, 1:49 PM

Your advice was spot-on. I made the change at the end of the local course.conf file. (Turns out the authentication method was not CAS, but I quickly corrected that.) This affects no other webwork courses, so now I can test these changes on a single course for the upcoming term. If we implement this globally, I will definitely be back here to understand the changes we'll need to make to the other config files. Thanks.

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

by Alex Jordan - Thursday, 22 August 2024, 7:28 PM

I'm not sure if this was part of your question, but if you make it possible for instructors to log in to the course with a username/password, you have to also make the login screen availabe to students. That may or may not be frustrating to a student who does not know their WeBWorK username or has no password (because their account was created with LTI). They can enter from Canvas, then time out, and when they refresh the page they are at the login screen with no indication that they should actually go back to Canvas.

Something else to consider. You could ask your Canvas admin team for a special Canvas course that is just for you to administer WeBWorK from. You could then use this course to put LTI links that lead into the various WeBWorK courses that you need to enter. This should work, assuming you already have a user account in each of those WeBWorK courses.

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

by Jason Terry - Friday, 23 August 2024, 2:11 PM

Yes, my current plan is to set the time-out for inactivity to a longer interval and to put a reminder in the "Site Information" field on the webwork website that students must log in through canvas. And also to give students plenty of verbal reminders that they can only log in through canvas. I hope this will minimize the frustration, but I expect there will still be some. After some time, I'm hoping the culture will change and students will start to adapt to the new log in requirement. This is definitely a very small price to pay for the benefit of using the LTI auth system.

The idea of a special canvas course is intriguing. If I'm understanding, students would need to be enrolled in both their regular canvas course and the special canvas course. And I would need to limit students' access to the particular links for their webwork courses based on their section. Now that the simultaneous authentication issue seems to be solved, I think it will be the faster solution.

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

by Alex Jordan - Friday, 23 August 2024, 2:48 PM

No, the special Canvas course would only be for you (and maybe other faculty you consider to be WeBWorK administrators). It would simply be a gateway for you to enter other faculty's WeBWorK courses. You would place multiple links, one for each WW course you intend to enter. As long as the Canvas course only has you in it, you would not be risking unauthorized people entering the other faculty's WW courses.

Meanwhile in a regular instructional Canvas course, the students and the course instructor use the links there to enter their WW course.

This is the approach I will be setting up soon on my institution's server. Except our LMS is D2L, not Canvas.

Using WeBWorK

WeBWorK Main Forum

Allowing Both Direct CAS Authorization and Canvas LTI Authorization

Allowing Both Direct CAS Authorization and Canvas LTI Authorization

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization

Re: Allowing Both Direct CAS Authorization and Canvas LTI Authorization