LTI-Advanced Authentication

From WeBWorK_wiki
Jump to navigation Jump to search

LTI 1.3 Setup

WeBWork 2.18 supports LTI 1.3. Documentation needs to be written.

With Brightspace (D2L)

A post about LTI 1.3 for Brightspace (D2L) appears at https://sukhjitsehra.github.io/webwork-2.18/.

With Moodle

In Moodle set:

Do not mark "Supports Deep Linking"

Services - "Use this service" for all three. See the image in the ZIP file https://github.com/openwebwork/webwork2/files/11425838/setup.zip

Moodle should provide a popup with "Tools configuration details". It will provide:

  • Platform ID
  • Client ID
  • Deployment ID
  • Public keyset URL
  • Access token URL
  • Authentication request URL

which are needed to make the settings on the WeBWorK side.

Moodle - LTI tool setup in the course:

Key settings in authen_LTI_1_3.conf:

  • $LTI{v1p3}{LMS_name} = 'Moodle at yourschool';
  • $LTI{v1p3}{LMS_url} = 'http://moodle.yourschool.edu';
  • $LTI{v1p3}{PlatformID} = 'http://moodle.yourschool.edu';
  • $LTI{v1p3}{ClientID} = 'FindItInWhatMoodleGaveYou';
  • $LTI{v1p3}{DeploymentID} = '2';
  • $LTI{v1p3}{PublicKeysetURL} = "$LTI{v1p3}{PlatformID}/mod/lti/certs.php";
  • $LTI{v1p3}{AccessTokenURL} = "$LTI{v1p3}{PlatformID}/mod/lti/token.php";
  • $LTI{v1p3}{AuthReqURL} = "$LTI{v1p3}{PlatformID}/mod/lti/auth.php";

See the images in the zip file linked to above that was provided in https://github.com/openwebwork/webwork2/pull/1909.

There are also images about Canvas setup in the ZIP file.

LTI 1.1 Setup

Learning Management Systems (LMS) like Blackboard, Moodle and Canvas all support a protocol called Learning Tools Interoperability (LTI) which can be used to connect learning tools like WeBWorK to the LMS in a standardized fashion. The most common version is 1.2 and is supported by Blackboard, Moodle, Canvas, and others.

WeBWorK has previously supported LTI based authentication through the LTIBasic module. That module has been rewritten to include a fuller range of features, including the ability to pass back grades. This guide includes instructions for the initial configuration and authentication parameters supported by LTIAdvanced. You can read about the grade pass-back features at LTI-Advanced Grading.

First Time Setup

WeBWorK Setup

Before you can use WeBWorK's LTI features you need to do some initial setup. This will need to be done by a system administrator and in particular often requires administrator access to both WeBWorK and your Learning Management System. All of the configuration for WeBWorK is done in the authen_LTI.conf file located in the webwork2/conf directory. First you should copy authen_LTI.conf.dist to authen_LTI.conf. Then you need to uncomment the line

   #include("conf/authen_LTI.conf");

in localOverrides.conf. Now there are some things you will need to do in authen_LTI.conf. The only thing you must set is the LTI Consumer Secret. This acts like a global password and is used to authenticate all communication between WeBWorK and the LMS. So pick something reasonably complicated.

   $LTIBasicConsumerSecret = ""; #This must be set 

There are some other options that can be set as well. I'll go through them in order of most things you will most likely need to think about to less likely.

  • $debug_lti_parameters - Getting things set up for the first time can be tricky and the error messages are kept vague by default (for security). Set this flag to 1 to have WeBWorK split out a lot more information about the LTI authentication process. This can be a big help with troubleshooting.
  • $NonceLifeTime - When the LMS sends a user to WeBWorK it makes a request identified by a "Nonce". This variable controls how long the Nonce is valid, in seconds, from the time it is created by the LMS. It should be short enough to prevent "casual" man-in-the-middle attacks. However, you may need to set it to something longer if your servers/network are slow or if the clocks on your servers are not synced.
  • $preferred_source_of_username
    • The manner in which this variable is used was changed in WebWorK 2.16. See below.
    • When a user logs into WeBWorK from the LMS WeBWorK needs to determine the username of the person logging in.
    • The name of this variable (until version 2.15) is somewhat misleading. It does not really set a "preferred" source, but selects between 2 options, as described below.
      • This variable actually controls whether the email address or the "lis_person_sourcedid" has precedence to be used to determine the username for the student in WeBWorK.
      • The default in the code is to use the "lis_person_sourcedid" assuming it is provided, unless this variable is set to "lis_person_contact_email_primary".
      • The sample system wide LTI config file https://github.com/openwebwork/webwork2/blob/master/conf/authen_LTI.conf.dist will set this variable to "lis_person_contact_email_primary", thereby flipping the default, and provides an explanation of when to change the value.
      • Thus, in typical use with a standard "authen_LTI.conf" the default will be to use the email address of the student logging in as their user name.
        • This is because many/most LMS do not actually provide a traditional username (the LTI field "lis_person_sourcedid").
      • Summary:
        • If this variable is set to "lis_person_sourcedid" then the system will attempt to use the sourcedid is used as the WeBWorK username.
          • Note: Many LMS do not provide this parameter (due to privacy/security concerns).
          • Should the attempt fail, the system will immediately fall back to attempting to use the LMS provided email address as the WeBWorK username.
          • Note: Some LMS do not provide the email either (also due to privacy/security concerns). In such cases, the special options added in WeBWorK 2.16 may be of use. See below.
        • If this variable is set to "lis_person_contact_email_primary" then WeBWorK will use the email address provided by LTI to set the WeBWorK user name.
          • Typically the entire email address is used.
          • If you don't want to use the entire email address you can also set $strip_address_from_email=1 and WeBWorK will strip off the server portion of the email address when creating the username.
        • This setting will not override using the "lis_person_sourcedid" unless it has the value lis_person_contact_email_primary. If you want to use some other LMS provided data to determine the WeBWorK username, you need to make use of an alternative approach.
        • Use a custom $LTI_modify_user routine to replace the value set for the user name.
    • As of WeBWorK 2.16 the configuration is as follows:
      • $preferred_source_of_username (a required setting) sets the first choice of the source for the user_id and $fallback_source_of_username sets an alternate source to use, if the primary one fails.
      • Sample settings and a defaults for $preferred_source_of_username are provided via conf/authen_LTI.conf.dist.
      • No "automatic" fallback behavior is provided in the code, unlike the situation Unless these settings up until WeBWorK 2.15.
      • Use of suitable setting may be helpful if LMS security settings are blocking the LMS from sending both the email and "lis_person_sourcedid" to WeBWorK due to privacy concerns.
      • They also may be useful if your institution wants to minimize the amount of personal identification information in the WeBWorK database.
      • Use of the LMS "user_id" field is likely to make the use of WeBWorK less convenient for the course staff, as the LMS "user_id" field is not something from which it is convenient to determine a humanly understandable student identifier. Thus, they should be used only when there is a real operation need for them. If the LMS provides the option to send the user's email to WeBWorK - it is highly recommended to make that setting and not to use either of these settings.
  • $preferred_source_of_student_id (optional) - determines how the WeBWorK "student_id" value is set.
    • The manner in which this variable is used was changed in WebWorK 2.16.
    • Until WeBWorK 2.15 the standard behavior, is to use the value the LMS provides as "custom_student_id" (or "student_id").
      • If that settings is not provided by the LMS in the LTI connection and and this optional variable was set, then WeBWorK will select the relevant LMS provided value to be used to set the WeBWorK "student_id" value.
      • The setting will never override a value the LMS provided via the "custom_student_id" field.
      • If in use, and the LMS fails to provide that value, an error may occur.
      • The name of this variable is somewhat misleading, but cannot be changed to maintain backwards compatibility. It does not really set a "preferred" source, but only allows a fall-back setting.
    • As of WeBWorK 2.16 - there is no default behavior - you must set a valid value for $preferred_source_of_student_id to have LTI set the student_id value.
    • Use of $debug_lti_parameters=1 can help find what value to use.
    • A system wide setting can be made in "authen_LTI.conf".
    • A custom $LTI_modify_user routine can be used to override the standard behavior when necessary.
  • $LTIBasicToThisSiteURL - When the authentication request is being validated WeBWorK will check to see if the address that the user clicked in in the LMS is the same as the address of the WeBWorK server. If you have a load balancing system where the WeBWorK server address may not be the same as the address the student clicked on in the LMS then you will need to set this variable to the address in the LMS.

LMS Setup

Next you need to set up your LMS. In general you will need to provide the LMS the following things:

  • The address of your WeBWorK server. Note: The address here needs to exactly match the address of your webwork server as defined in site.conf, e.g. it should be the combination of $server_root_url and $webwork_url
  • The "Tool Provider Key" or "Consumer Key"; this is just some made up word, like "webwork" or "smargleborg".
  • The "Tool Provider Secret" or "Consumer Secret"; this is the password used to identify the LMS to your WeBWorK site (and vice versa) and should be the same as $LTIBasicConsumerSecret
  • What kind of user information is provided to WeBWorK.

The specifics in setting up the LMS vary depending on what LMS you use. I've posted links to setup instructions for Blackboard, Moodle and Canvas below. Note, when the instructions refer to the "LTI" or "Tool", that is WeBWorK. A couple of other things to think about:

  • Its usually best to have WeBWorK open in a new window. There are usually settings you can set which will control this. However feel free to experiment with other settings until you find a mode you like.
  • If you want to get fancy you can also try to have the LMS provide section or recitation information by setting a custom parameter. In all of the configurations there is a "Custom Fields" section. You would specify "section = #" or "recitation = #" to set the section or recitation.

Blackboard

The instructions are here. Brief instructions and a screenshot follow.

Blackboard-lti-setup.png

  1. In the Administrator Panel (under Building Blocks) click LTI Tool Providers and then Register Provider Domain
  2. Input the address of the WeBWorK server in Provider Domain
  3. Use Set Globally for Default configuration and input the Tool Provider Key (any word, e.g. webwork) and the Tool Provider Secret (e.g.$LTIBasicConsumerSecret)
  4. Enable Send User Data. (Restricting to ssl is safer if you have https enabled.) Then enable all three user fields.

Moodle

The instructions are here. Basic instructions and a screenshot follow

Moodle-lti-setup.png

  1. Go to Site administration > Plugins > Activity modules > LTI > Manage external tool types and click "Add External Tool Configuration"
  2. Input the Tool Name and the WeBWorK server address as the Tool Base URL
  3. Input the Consumer Key (any word e.g. webwork) and the Shared Secret (e.g. $LTIBasicConsumerSecret).
  4. In Privacy set both "Share" configurations to "Always". If you have https available its safer to also enable "Force SSL".

Canvas

The instructions are here. The basic instructions and a screenshot follow.

Canvas-lti-setup.png

  1. Go to Settings > Apps > View App Configurations > Add App
  2. Choose "Manual Entry" for configuration type.
  3. The "Launch URL" is the url of the course and can be left blank. The "Domain" is just the server address
  4. Input the Consumer Key (any word e.g. webwork) and the Shared Secret (e.g. $LTIBasicConsumerSecret).
  5. You should set "Privacy" to "Public".

Warning: A recent Canvas security related change prevents copying the LTI key and LTI consumer secret when course content is copied to a new course. Those values need to be set again manually in the new course. See: the forum post by Tim Payer.

Desire2Learn (D2L) BrightSpace

See LTI-Advanced_Authentication_for_D2L

Adding Links To WeBWorK

Once you have set up your WeBWorK configuration files and added WeBWorK as an LTI Tool to your LMS you will need to make a link/assignment in the LMS that students can use to get to WeBWorK. This needs to be done in every LMS course which uses WeBWorK. Again, the process for this varies depending on what LMS you are using. I'll describe the basic process for Moodle, Blackboard and Canvas. Be aware that each LMS has its own quirks and possibilities. In some LMS you can make a link in the side bar as a "course tool", or as a "module", or add it to the navigation bar. In some LMS the links go in the "Content Area". In some LMS the links go in the "Assignment List". Consult your LMS documentation for a full description on where and how LTI links can be included. A couple of other things to think about:

  • Its usually best to have WeBWorK open in a new window. There are usually settings you can set which will control this. However feel free to experiment with other settings until you find a mode you like.
  • If you want to get fancy you can also try to have the LMS provide section or recitation information by setting a custom parameter. In all of the configurations there is a "Custom Fields" section. You would specify "section = #" or "recitation = #" to set the section or recitation.

Blackboard

The documentation is here. A screenshot and basic instructions follow.

Blackboard-lti-link.png

  1. Go to Conent > Build Content > (Create) Web Link
  2. Add a Name for your link and the URL of the course you are linking to. You can get the url using "copy link location" on the link to the course in the main WeBWorK page. Alternatively the url structure is: http://webwork.server.edu/webwork2/CourseName
  3. Check "This link is a Tool Provider"*
  • You may need to enable "LTI" in Customization => Tool Availability if the checkbox for "This link is a Tool Provider" is not shown

Moodle

The documentation is here. A screenshot and basic instructions follow.

Moodle-lti-link.png

  1. Go to a Course, Turn "Editing" on, and click "Add an activity or resource".
  2. Choose "External Tool" and click "Add".
  3. Pick an activity name and add the URL of the course you are linking to. You can get the url using "copy link location" on the link to the course in the main WeBWorK page. Alternatively the url structure is: http://webwork.server.edu/webwork2/CourseName

Canvas

The documentation is here. A screenshot and basic instructions follow.

Canvas-lti-link.png

  1. Go to your Course, then Assignments, then add an assignment.
  2. Select "External Tool" for Submission type.
  3. Input the URL of the course you are linking to. You can get the url using "copy link location" on the link to the course in the main WeBWorK page. Alternatively the url structure is: http://webwork.server.edu/webwork2/CourseName


Warning: A recent Canvas security related change prevents copying the LTI key and LTI consumer secret when course content is copied to a new course. Those values need to be set again manually in the new course. See: the forum post by Tim Payer.

Automatic Student Account Management

The LTIAdvanced module can be set up to automatically manage and create student accounts in WeBWorK. In particular if a student does not have an account in WeBWorK then the first time they log in a WeBWorK account will be created for them. The username will be determined by $preferred_source_of_username (see above for the details) and they will automatically be assigned all "visible" homework sets. Now you should be all set up. You can test it out by creating a test student in your LMS and using the link to log into WeBWorK from the LMS. Logging into WeBWorK in this way should not require a password, the WeBWorK user for the student should be automatically created, and the user should also automatically be assigned all "visible" homework sets. In particular you should keep the following in mind about automatic account creation.

  • Students created via the LMS will not have neither a student id nor an initial password. In particular they will not be able to log into WeBWorK directly. The $external_auth is set to one by default and actually prevents them from seeing the WeBWorK login page. They will need to log in via the LMS unless you get fancy.
  • IMPORTANT: $external_auth=1; prevents students from seeing the WeBWorK login page- they see a message that directs them to login through the LMS. However it also prevents professors and TAs from logging in to WeBWorK directly and using the internal WeBWorK authentication. For this reason many sites set $external_auth=0; which allows the internal WeBWorK authentication mechanism to take over if an LTI login fails. Students still cannot login to webwork directly because neither they nor anyone else knows their LTI created password. However it will be necessary to inform them (possibly repeatedly) that they can only log in to WeBWorK through the LMS. (See [1] and [2] for an expanded discussion on this matter.
  • Accounts with a permission level of TA or higher are not automatically created by default for security reasons. So you will have to add your TA's and other professors manually.
  • Students created via the LMS are assigned all visible sets. However, the due dates of these sets are not adjusted to take late registrations into account unless you get fancy.
  • ADVANCED: You can define the local routines which can be used to modify newly created users and newly assigned sets. For example, you can give newly created users a random student_id/password or you can alter the due dates of a student depending on how late they register.

The account creation feature is controlled entirely inside authen_LTI.conf. The important parameters are:

  • $LMSManageUserData - WeBWorK will try to keep your student's data up to date with the LMS if this flag is on. Student data doesn't change much so you could turn it off with relatively few side effects.
    • If you enable this feature then you should not let students change their email address, since their changes will constantly be overwritten. To do that set $permissionLevels{change_email} = "ta";.
    • If you use the $LTI_modify_user local subroutine then you should turn this feature off.
  • $LTIAccountCreationCutoff - For security reasons users with permission levels of ta or higher are not automatically created. In other words you will need to manually add professor users to a course before they can log in via the LMS. If you want to allow professors to be created automatically set this variable to 'professor'. If you want to turn off the account creation feature set this variable to 'guest' or 'student'.
  • %LMSrolesToWeBWorKroles - If your LMS uses roles not listed in this hash you will need to add those roles so that users get the right WeBWorK permission level.
  • $LTI_modify_user - This is a local subroutine which you can use to modify a newly created user before they are actually added to WeBWorK. You would use this if you wanted to, for example, analyze the LTI context parameter for a section number and set the student's section, or create a random string which you set as the student ID and the students password. The basic subroutine looks like:
$LTI_modify_user = sub { 
# The self object from LTIAdvanced.pm 
my $self = shift; 
# The user object to be modified 
my $user = shift; 

# Parse context_id for additional information.  E.G.   
my @course_id=split /-/, $self -> {"context_id"}; 
$user->{"section"} = $course_id[4]; 
}; 
  • $LTI_modify_set - This is a local subroutine which you can use to modify newly created sets before they are assigned to users. You would use this if you wanted to, for example, modify the due date of the set before it is assigned, adding extra days based on the number of sets assigned. The basic subroutine looks like:
$LTI_modify_user_set = sub { 
# The self object from LTIAdvanced.pm 
my $self = shift; 
my $globalSet = shift; 
# The userSet object to be modified 
my $userSet = shift; 
my $numberOfSetsAssigned = $self->{numberOfSetsAssigned}; 
my $daysPerSetMakeup = 2; 
my $reasonableNumberOfDays = $numberOfSetsAssigned*$daysPerSetMakeup +1; 
if ($reasonableNumberOfDays < 2) {$reasonableNumberOfDays = 2;} 
my $niceDueTime = $globalSet->due_date + $reasonableNumberOfDays*86400; 
my $niceAnswerTime = $niceDueTime + 600; 
$userSet->due_date($niceDueTime); 
$userSet->answer_date($niceAnswerTime); 
};

Additional Authentication Setups

Students created via the LMS will not have neither a student id nor an initial password. In particular they will not be able to log into WeBWorK directly. The $external_auth is set to one by default and actually prevents them from seeing the WeBWorK login page. They will need to log in via the LMS unless you get fancy. In particular since they are not allowed to log in to WeBWorK directly you should consider setting $permissionLevels{change_password} = "ta";. This will prevent students from messing with their WeBWorK password. If you do want to allow students to log into WeBWorK directly you have a couple of options.

  • Native WeBWorK Logins - Set $external_auth to zero and give students permission to change their password. Students will not have a password by default and will not be able to log in via WeBWorK. However if they use the User Settings page to give themselves a password then they can log in via WeBWorK.
  • LDAP Logins - If your LMS uses an LDAP system for authentication you can also set up WeBWorK to use LDAP authentication (see LDAP Authentication). When set up properly this will allow students to log into WeBWorK using their LDAP/LMS credentials (once their account is created in WeBWorK, of course). To do this you should first comment out the following lines in authen_ldap.conf
   #$authen{user_module} = {
   #	"*" => "WeBWorK::Authen::LDAP",
   #};

In authen_LTI.conf you should change the definition of $authen{user_module} to

   $authen{user_module} = [ 
       {  "*" => "WeBWorK::Authen::LTIAdvanced", }, #preferred authorization method
       {  "*" => "WeBWorK::Authen::LDAP",}  #fallback authorization method
   ];

You should also make sure that $external_auth is set to zero.


Make LTI connections for a single course

  • LTI -- The LTI connection between Canvas, Blackboard, Moodle and WeBWorK was introduced in release 2.12 but best practices for configuring the connection are still emerging.
  • In webwork2/conf make a copy authen_LTI.conf from authen_LTI.conf.dist if you haven't done so already.
  • In localOverrides.conf make sure that authen_LTI.conf is enabled and set global settings for the grading mode and debugging:
   include("conf/authen_LTI.conf");
  $debug_lti_parameters = 0; 
  $LTIGrademode=“”;
  • At the end of course.conf for the course using LTI place these statements:
   # Settings to connect this course to 	Canvas via  LTI.
   $LTIGradeOnSubmit = 1;      # or 0 if grade pass-back is not used
   $debug_lti_parameters = 0; # you can set this to 1 for initial setup in order to get additional debugging information
   $LTIBasicConsumerSecret = "XXXsecretXXX";
   $LTIGradeMode = "homework";
   $external_auth = 0;  # this allows both LTI and direct authorization to work simultaneously (use carefully, LTI registered students who try to
                                    # login directly will be told they have an incorrect password since LTI creates a random practice that is never used. 
                                    # instructors will be able to login directly
      • For more details read Goeff Goehle's blog posts ([3]) and the comments in authen_LTI.conf.dist, and LTIAdvanced.pm

Grade Pass-back

There is an optional subsystem for allowing WeBWorK to pass grades back to the LMS. You can read more about that at LTI-Advanced Grading

Gotchas

  • I set $debug_lti_parameters to one but I don't see any debugging info. This means that the LTI authentication module is not getting called, or is getting called without parameters.
    • The LTI parameters are only set in the 'initial' login. Make sure you log out of WeBWorK before trying to log back in via the LMS.
    • If you have multiple authentication plugins activated make sure that $authen{user_module} is not getting overwritten by a different authentication module.
    • If you have https and are forwarding http calls to https, make sure that the link in the LMS is https.
  • I get an "OAuth verification failed" error. This means that WeBWorK cannot verify the authentication request sent by the LMS. This usually means that you have trouble with either the consumer secret or your WeBWorK address.
    • Double check that your consumer secrets are the same.
    • Double check that your urls match. In particular the URL you put in the LMS has to match the server url defined in site.conf, localOverrides.conf, and authen_LTI.conf. For example, if you have an "https" in the URL in the LMS then you should have an "https" in the value of $server_root_url.
  • I get an "LTIAdvanced was unable to create a username from the user_id or from the mail address." error. WeBWorK uses either the parameter "lis_person_sourcedid" or the parameter "lis_person_contact_email_primary" to build the user id. If neither of these are present the system will fail. Make sure the "privacy" mode is set to "public" (or the most permissive setting) in the LMS to guarantee that it is sending enough info for WeBWorK to create a user.
  • I get an "Your authentication failed. Please try again. Please speak with your instructor if you need help." in Canvas, after copying a course to a new semester.
    • Warning: A recent Canvas security related change prevents copying the LTI key and LTI consumer secret when course content is copied to a new course. Those values need to be set again manually in the new course. See: the forum post by Tim Payer.