Installation

WW v2.19 and Canvas using LTI 1.3

WW v2.19 and Canvas using LTI 1.3

by Peter Lert -
Number of replies: 2

I am working to configure our new WW version 2.19 with our new Canvas LMS using LTI 1.3 integration, using Canvas' "Course Assignments Menu" feature (replacing WW v2.16 & Blackboard with LTI 1.1). We worked out all the settings for the $LTI{v1p3}{...} parameters (with some help from Glenn Rice - thanks again!) to get the systems talking to each other. In order to configure courses it makes sense for instructors to input the lms_context_id, since WW admins do not have access to the instructor's Canvas course. The approach I have developed so far is to leave all the related parameters at default values, except to add the following in localOverrides.conf after include("conf/authen_LTI.conf") :

@LTIConfigVariables = (
	'LTIGradeMode',
        'external_auth',
        'lms_context_id',
        'debug_lti_parameters'
);
$permissionLevels{'change_config_lms_context_id'} = 'professor';

Following the guidance in "LTI Authentication (for WeBWorK 2.18 or newer)" the instructor obtains the lms_context_id for WW in Canvas and then saves it in the WW Course Configuration > LTI page. In Canvas the instructor again opens the "Assignment Settings" menu and has a choice of either "Assignments (Course Home)" or the list of visible HW sets which can be individually selected or all at once. Selecting -

    • "Assignments (Course Home)" creates a Canvas Module with a link to the course.
    • some or all HW sets results in Canvas links being created to each selected HW set (nice!).

So far this behavior is what I expected, but subsequent findings are suprising.

  • As it is, selecting either the Module link or a HW set link presents the instructor with the WW course login again in order to access the WW content. But if the Canvas item (Module or Assignment) is edited by the instructor to "Load in a new window" and then selected, the (edited) link presents the WW content (the Assignments page or the selected HW set) directly without requiring further authentication. Is this the expected behavior? A minor (but annoying) note is that it appears that the instructor must then "Edit Assignment Settings" for each added link in Canvas in order to checkbox "Load This Tool In A New Tab" for each one. I can find no option that will set that option automatically in Canvas when using the  "Course Assignments Menu" feature.
  • Using Canvas for authentication of students is a priority. In order to require LMS authentication, in the WW Course Configuration > LTI page I set "Require users to log in through the LMS" to True. This adds $external_auth=1 in the course simple.conf, with unexpocted results. While the previously created Canvas links (that load in a separate window) could still access the WW course with professor credentials (would links work the same for students?), the admin user can no longer login to the WW course. When $external_auth=1 it seems that admin access to any WW course (except the admin course itself) requires that the admin user be able to first access the instructor's Canvas course. This is not feasible. The only way I could find to override that setting in order to login to the course as an admin is to remove $external_auth=1 from its simple.conf. I fear that will make supporting our instructors more than awkward. Am I missing something?
  • For our purposes it may not be necessary to use $external_auth=1. I am hoping that with $external_auth=0 the LTI 1.3 behavior will be similar to that of LTI 1.1: when a student first uses a link in Canvas the user is created in the WW course with a password that the student can not obtain or change. Thereafter, a student's attempt to access the course directly would fail due to an invalid password. Is that correct? Unfortunately I cannot create or access a student account in a Canvas course in order to test this behavior.
  • Assignment links are created in Canvas along with corresponding columns in the Grades page. I can find no way to create a link that corresponds to $LTIGradeMode='course' using either "Course Assignments Menu" or "Assignment Selection" in Canvas. It appears the $LTIGradeMode value is ignored when a link is created (e.g. a Canvas Grades column is created even when $LTIGradeMode=''). However, if instructors use $LTIGradeMode='homework' this may not be a problem.
As it stands I expect to enable only 'lms_context_id' and 'debug_lti_parameters' in the Course Configuration > LTI page. I will greatly appreciate any responses or suggestions about the above issues; in particular, that student access when $external_auth=0 works the way I expect.

Thanks.


In reply to Peter Lert

Re: WW v2.19 and Canvas using LTI 1.3

by Glenn Rice -

In short, yes, everything that you are seeing is expected behavior.  LTI 1.1 and 1.3 are both implemented to do the same thing in almost all cases.  The differences you are seeing are largely due to a the fact that browsers block cookies in an iframe (more details below) and differences in how Canvas and Blackboard work.

When you have the link set to open in Canvas instead of a new window, Canvas attempts to open the link in an iframe.  If you have $CookieSameSite set to "Lax" in localOverrides.conf, then the cookies that WeBWorK tries to set are blocked in this case.  All browsers block secure cookies with SameSite Lax in an iframe.  So what really happens is that LTI 1.3 authentication succeeds (the login and launch requests are validated), but when WeBWorK tries to redirect the user to the page requested in the launch request (the selected link), then the cookie is not set because it was blocked by the browser, and so the login page is shown instead.  The same thing will happen with LTI 1.1.  The difference is that since LTI 1.1 performs authentication in the initial request the first page does load.  Then if the user tries to submit an answer or change pages in WeBWorK, they end up at the login page, for the same reason.  This is why we have always recommended that you open pages in a new window.

My institution also uses Canvas, and it is annoying that Canvas does not let you set a default to create links to open in a new window.  All other LMS's do have a setting for that.  One thing that you can do is change $CookieSameSite to "None".  Although, that is only a partial fix.  Most users will still end up at the login screen.  This depends on the browser the user is using, and the settings of that browser.  Google Chrome and Safari by default block SameSite None cookies as well in an iframe.  Firefox doesn't.  In Safari you can allow "cross site tracking" and in Chrome you can allow "third party cookies", and then the cookies won't be blocked.

Another thing you can do is change $session_management_via to "key" in localOverrides.conf.  This doesn't use cookies at all, and so authentication will work when embedded in an iframe.  However, by doing so you are sacrificing a large amount of security since all of the authentication parameters are embedded directly in the page, and hackers can utilize that to perform attacks.

The setting $external_auth = 1 says never show the username and password fields on the login screen.  Instead show a message telling the user to login from the LMS.  That is the only way it can work, and that is the same for both LTI 1.1 and 1.3.

Regardless of the $external_auth setting, if you have $LMSManageUserData set to 1, then student accounts are created in WeBWorK when students first log in from the LMS for both versions of LTI.  Those students will not be able to sign in with a username and password (since they won't have a password in the system).  You should set the "Allowed to change their password" permission (i.e., $permissionLevels{change_password}) to "login_proctor" or higher to ensure that students can not set or change their password.

The LMS is not aware of the $LTIGradeMode setting.  If $LTIGradeMode is set to "course", then you should only create one assignment link in the LMS (the "Course Assignments Menu" link).  It will create a corresponding grade book entry.  If you don't want a grade book entry, then in Canvas create a module item instead.  Module items can still use LTI authentication and don't have corresponding grade book entries.

In reply to Glenn Rice

Re: WW v2.19 and Canvas using LTI 1.3

by Peter Lert -
Thanks so much, Glenn. Great explanation - wow on the detail! My guess is that this would be helpful to add to the LTI 1.3 documentation for others as well.
In any case thanks for all you're doing - at 6:50 AM on Labor Day no less!