Jesse Poulos

What does the recent IMS LTI Deprecation and Security Update mean for Canvas users and integrations?

Blog Post created by Jesse Poulos Employee on Jul 30, 2019

Recently, IMS Global announced the deprecation schedule of the LTI 1.0, 1.1, 1.2, and 2.0 specifications. Going forward, LTI Core version 1.3 (LTI 1.3) will be the recommended specification for new integrations and any integrations wishing to upgrade their LTI security framework. The LTI 1.3 specification has an enhanced Security Framework and also allows tools to layer on new services (LTI Advantage) for a deeper integration experience.

With the IMS announcement also comes a security update, LTI versions 1.0.2 and 1.1.2, for tools that do not wish to update to LTI 1.3. After reviewing the CSRF threat described in the IMS announcement with our security team, we agree with the IMS recommendation to upgrade to LTI Core version 1.3. Instructure has no current plans for supporting versions 1.0.2 and 1.1.2 in Canvas LMS. This decision was made in part because the work to support them for LTI integrations is nearly as resource intensive (for tool providers and platforms) as supporting LTI 1.3, which Canvas is already certified for.  If this is a concern, please reach out to your Instructure CSM or Partner Manager so we can discuss your concerns.

 

Some useful resources for adopting LTI 1.3 and LTI Advantage services are listed here:

From IMS:

  • LTI 1.3 and LTI Advantage Overview: Within this link you will find public documents outlining the core LTI 1.3 specification, Advantage service specifications, an implementation guide, and more.


From Instructure:

Outcomes