I work for a courseware vendor (that is, a "tool" or "tool provider" in LTI terms), and have a question about how our tool can support migrations from our LTI 1.1 to 1.3 integration. I know that Canvas has recently made a big improvement to this process (which is great news), but I can't find an answer to this question in any documentation.

In LTI 1.3, the tool receives the user ID as the "sub" claim in the id_token (in the final leg of the OIDC login flow). This ID is not the same as the LTI 1.1 user_id parameter.

Our question is, how can we seamlessly handle a user who's been using the LTI 1.1 version of our tool, and then one day starts using the 1.3 version instead? Our records contain their 1.1 user_id, of course, but not the new 1.3 "sub" ID. We don't want to force a new login on our side. Instead we want to identify which LTI 1.1 user they were and associate that existing user record with the new LTI 1.3 user ID.

What I'm observing through testing is the LTI 1.3 launches include the "lti11_legacy_user_id" claim, which carries the old ID value. (This wasn't in place a year ago; there was some discussion of it in this forum.)

This suggests that (as the tool provider) we should implement our product such that:

• If an LTI 1.3 user has an "unknown" user ID (by the "sub" claim in their launch), then we look for the "lti11_legacy_user_id" in the launch and check for a user with that ID.
• If we find that user, then we sign them in and update our own user record with the new 1.3 "sub" ID.

Can anyone help me confirm whether this is correct? Is this Canvas's expectation for how an LTI 1.3 tool will handle users during migration from 1.1?