What does the recent IMS LTI Deprecation and Security Update mean for Canvas users and integrations?

Instructure
Instructure
5 11 1,992

Recently, IMS Global announced the deprecation schedule of the LTI 1.0, 1.1, 1.2, and 2.0 specifications. Going forward, LTI Core version 1.3 (LTI 1.3) will be the recommended specification for new integrations and any integrations wishing to upgrade their LTI security framework. The LTI 1.3 specification has an enhanced Security Framework and also allows tools to layer on new services (LTI Advantage) for a deeper integration experience.

With the IMS announcement also comes a security update, LTI versions 1.0.2 and 1.1.2, for tools that do not wish to update to LTI 1.3. After reviewing the CSRF threat described in the IMS announcement with our security team, we agree with the IMS recommendation to upgrade to LTI Core version 1.3. Instructure has no current plans for supporting versions 1.0.2 and 1.1.2 in Canvas LMS. This decision was made in part because the work to support them for LTI integrations is nearly as resource intensive (for tool providers and platforms) as supporting LTI 1.3, which Canvas is already certified for.  If this is a concern, please reach out to your Instructure CSM or Partner Manager so we can discuss your concerns.

 

Some useful resources for adopting LTI 1.3 and LTI Advantage services are listed here:

From IMS:

  • LTI 1.3 and LTI Advantage Overview: Within this link you will find public documents outlining the core LTI 1.3 specification, Advantage service specifications, an implementation guide, and more.


From Instructure:

11 Comments
Community Member

It would be helpful to know of a tangible date or schedule for LTI1.3 to become the accepted format on Canvas and for LT11.2 to be out of support. Without a tangible schedule, instructors can't really know when to develop quizzes in the new format. 

Thanks in advance.

Instructure
Instructure

ahui@nvcc.edu‌ great points. Canvas currently accepts LTI 1.3 integrations and we are actively encouraging all new integrations to use LTI 1.3 when they ask for consultation. We will likely deprecate support for LTI 1.2 no less than 18 months after IMS deprecates that standard officially. We've got plenty of tools that Instructure owns that still need to migrate to LTI 1.3, so there is still some time before older versions will no longer be supported.

Community Member

Hi All,

When Canvas and LTI vendors transition over to LTI 1.3, what implications does it have on institutions? Specifically, do we need to make changes (ie reconfigure LTI launches) or is this change behind the scenes between Canvas and LTI vendors?

Henry Ng

Instructure
Instructure

henry.ng@ubc.ca‌ Good questions. The an LTI 1.3 integration will be completely separate from an integration using earlier version due to the huge difference in the security framwork. Older versions use OAuth 1.0a as an authentication mechanism, whereas an LTI 1.3 integration requires an OAuth2 Open ID Connect. For LTI 1.3, since a developer Key to be configure it (https://community.canvaslms.com/docs/DOC-16729-42141110178), there is not seamless upgrade path. It will require a fresh install to upgrade.

For a tool provider, this difference in security framework requires a major rewrite to how they handle LTI launches from an LMS, so the upgrade path is to create a new LTI app and keep the lights on the older versions until customers have time to install the new version in Canvas.

Community Member

Hi Jesse,

Thank you for the response. So to sum this up, when a tool provider implments LTI 1.3, then we (as the institution) will need to re-setup the LTI configuration tool within our Canvas environment and management the transition. By managing the transition, a key component would be to enable the LTI 1.3 tool in each course, and disable/remove the LTI 1.1 tool as well. Did I get the gist of this?

Henry Ng  

Instructure
Instructure

Yes. I should note: the tool can be deployed at the account, sub-account, or course level once the developer key is set up.

Community Member

Hi Jesse,

Thank you for the clarification. I missed that step. I would imagine that a number of LTI tool providers would be deployed at the account level. What I meant was that once deployed at the account level, we'll still need a way to determine which course is using the tool and have that tool enabled in those courses. We don't want to have a tool enabled in a course where an instructor was not expecting their students to use. This is institution dependent and we'll figure out the best option to move forward. 

Henry Ng 

Community Member

Will this impact homegrown LTIs that are also stand-alone applications and are added to courses with the External Tools API? Users authenticate to our custom applications with the same SSO used by our Canvas instance. The applications access Canvas data with the Canvas API.

Instructure
Instructure

Amelia, I fully expect homegrown LTI tools will not be impacted for quite a long time. We haven't determined a deprecation schedule yet for our LTI v1.0 and v1.1 support in Canvas, but estimate it will be "many years" due to the number of tools using those standards in our ecosystem. However, having said this we strongly recommend tool vendors to evaluate the new standard and make plans to transition. As soon as we make a decision on a deprecation schedule, we'll provide communication out to our customers and partner community using blogs, emails, release notes, documentation, etc. to make sure the message gets out.

Community Member

Can you clarify how LTI 1.1 user_id launch values are translated in LTI 1.3? We've been struggling with an incompatibility with LTI 1.3's Names and Roles roster membership user ids not being compatible with a large database of user_ids collected from a legacy LTI 1.1 user database. Not being able to match unique user ids between the two LTI versions (after Canvas switched to using a "global" user uuid rather than an instance specific user id) makes matching users against an LTI 1.1 database impossible.

Can you perhaps please implement the recommended legacy lti11_legacy_user_id field as recommended in the official LTI 1.3 migration guide here?

 

Surveyor

Hi,

 

I hope you are doing well.

 

Have you implemented an LTI advantage on canvas?

 

If yes then canvas support multiple deep links?

 

How to add custom parameters during resource creation? Is there any specific document for Deep link in LTI 1.3 in detail?

what are the limitations of LTI advantage in the canvas that you are facing?

 

Please guide me about this.