cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What does the recent IMS LTI Deprecation and Security Update mean for Canvas users and integrations?

jpoulos
Instructure
Instructure
5 26 6,023

Recently, IMS Global announced the deprecation schedule of the LTI 1.0, 1.1, 1.2, and 2.0 specifications. Going forward, LTI Core version 1.3 (LTI 1.3) will be the recommended specification for new integrations and any integrations wishing to upgrade their LTI security framework. The LTI 1.3 specification has an enhanced Security Framework and also allows tools to layer on new services (LTI Advantage) for a deeper integration experience.

With the IMS announcement also comes a security update, LTI versions 1.0.2 and 1.1.2, for tools that do not wish to update to LTI 1.3. After reviewing the CSRF threat described in the IMS announcement with our security team, we agree with the IMS recommendation to upgrade to LTI Core version 1.3. Instructure has no current plans for supporting versions 1.0.2 and 1.1.2 in Canvas LMS. This decision was made in part because the work to support them for LTI integrations is nearly as resource intensive (for tool providers and platforms) as supporting LTI 1.3, which Canvas is already certified for.  If this is a concern, please reach out to your Instructure CSM or Partner Manager so we can discuss your concerns.

 

Some useful resources for adopting LTI 1.3 and LTI Advantage services are listed here:

From IMS:

  • LTI 1.3 and LTI Advantage Overview: Within this link you will find public documents outlining the core LTI 1.3 specification, Advantage service specifications, an implementation guide, and more.


From Instructure:

26 Comments
ahui
New Member

It would be helpful to know of a tangible date or schedule for LTI1.3 to become the accepted format on Canvas and for LT11.2 to be out of support. Without a tangible schedule, instructors can't really know when to develop quizzes in the new format. 

Thanks in advance.

jpoulos
Instructure
Instructure

 @ahui ‌ great points. Canvas currently accepts LTI 1.3 integrations and we are actively encouraging all new integrations to use LTI 1.3 when they ask for consultation. We will likely deprecate support for LTI 1.2 no less than 18 months after IMS deprecates that standard officially. We've got plenty of tools that Instructure owns that still need to migrate to LTI 1.3, so there is still some time before older versions will no longer be supported.

henry_ng
New Member

Hi All,

When Canvas and LTI vendors transition over to LTI 1.3, what implications does it have on institutions? Specifically, do we need to make changes (ie reconfigure LTI launches) or is this change behind the scenes between Canvas and LTI vendors?

Henry Ng

jpoulos
Instructure
Instructure

 @henry_ng ‌ Good questions. The an LTI 1.3 integration will be completely separate from an integration using earlier version due to the huge difference in the security framwork. Older versions use OAuth 1.0a as an authentication mechanism, whereas an LTI 1.3 integration requires an OAuth2 Open ID Connect. For LTI 1.3, since a developer Key to be configure it (https://community.canvaslms.com/docs/DOC-16729-42141110178), there is not seamless upgrade path. It will require a fresh install to upgrade.

For a tool provider, this difference in security framework requires a major rewrite to how they handle LTI launches from an LMS, so the upgrade path is to create a new LTI app and keep the lights on the older versions until customers have time to install the new version in Canvas.

henry_ng
New Member

Hi Jesse,

Thank you for the response. So to sum this up, when a tool provider implments LTI 1.3, then we (as the institution) will need to re-setup the LTI configuration tool within our Canvas environment and management the transition. By managing the transition, a key component would be to enable the LTI 1.3 tool in each course, and disable/remove the LTI 1.1 tool as well. Did I get the gist of this?

Henry Ng  

jpoulos
Instructure
Instructure

Yes. I should note: the tool can be deployed at the account, sub-account, or course level once the developer key is set up.

henry_ng
New Member

Hi Jesse,

Thank you for the clarification. I missed that step. I would imagine that a number of LTI tool providers would be deployed at the account level. What I meant was that once deployed at the account level, we'll still need a way to determine which course is using the tool and have that tool enabled in those courses. We don't want to have a tool enabled in a course where an instructor was not expecting their students to use. This is institution dependent and we'll figure out the best option to move forward. 

Henry Ng 

agarrett2
New Member

Will this impact homegrown LTIs that are also stand-alone applications and are added to courses with the External Tools API? Users authenticate to our custom applications with the same SSO used by our Canvas instance. The applications access Canvas data with the Canvas API.

karl
Instructure
Instructure

Amelia, I fully expect homegrown LTI tools will not be impacted for quite a long time. We haven't determined a deprecation schedule yet for our LTI v1.0 and v1.1 support in Canvas, but estimate it will be "many years" due to the number of tools using those standards in our ecosystem. However, having said this we strongly recommend tool vendors to evaluate the new standard and make plans to transition. As soon as we make a decision on a deprecation schedule, we'll provide communication out to our customers and partner community using blogs, emails, release notes, documentation, etc. to make sure the message gets out.

william_diehl
New Member

Can you clarify how LTI 1.1 user_id launch values are translated in LTI 1.3? We've been struggling with an incompatibility with LTI 1.3's Names and Roles roster membership user ids not being compatible with a large database of user_ids collected from a legacy LTI 1.1 user database. Not being able to match unique user ids between the two LTI versions (after Canvas switched to using a "global" user uuid rather than an instance specific user id) makes matching users against an LTI 1.1 database impossible.

Can you perhaps please implement the recommended legacy lti11_legacy_user_id field as recommended in the official LTI 1.3 migration guide here?

 

rohits_paktolus
New Member

Hi,

 

I hope you are doing well.

 

Have you implemented an LTI advantage on canvas?

 

If yes then canvas support multiple deep links?

 

How to add custom parameters during resource creation? Is there any specific document for Deep link in LTI 1.3 in detail?

what are the limitations of LTI advantage in the canvas that you are facing?

 

Please guide me about this.

JamesSekcienski
Community Participant

Hello,

Are there any new updates on this?

Thanks,

James Sekcienski

adam_c_voyton
Community Member

@jpoulos you mentioned that "We've got plenty of tools that Instructure owns that still need to migrate to LTI 1.3, so there is still some time before older versions will no longer be supported."

Do you happen to have a list of affected tools that are native to Canvas? Is New Quizzes one of them? 

karl
Instructure
Instructure

@adam_c_voyton Yes quizzes is one of these tools. Here's a list for reference:

  • Box
  • Chat
  • Commons
  • Google Hangouts Meet
  • Google Apps (not to be confused with Google Assignments LTI)
  • MasteryConnect
  • MS Teams Meetings
  • New Quizzes
  • Office 365 (Cloud Assignments)
  • Portfolium
  • Redirect Tool
  • Roll Call
  • Scorm
  • Studio
  • Twitter
  • Vimeo
  • Youtube
JeremyShapiro
New Member
As soon as we make a decision on a deprecation schedule, we'll provide communication out to our customers and partner community using blogs, emails, release notes, documentation, etc. to make sure the message gets out.”

@karl @jpoulos Since that communication hasn't materialized, I'm inferring the schedule's not decided yet. Can we get a new "at least" date? For example, are we safe until at least January 2023? January 2024?

jsowalsk
Advocate

@jpoulos have there been any updates on this? Is the date still next year on 6/30/22?

karl
Instructure
Instructure

@jsowalsk the date of 6/30/2022 was recommended by IMS. However, the Canvas ecosystem supports thousands of LTI 1.0 and 1.1 apps and that timeline isn't realistic for our partners, customers, various app developers and our own teams supporting LTI apps.

I'm still working on developing a realistic timeline where we can appropriately accommodate migration plans for our own LTI tools. I hope to officially communicate out this timeline as soon as possible. As a preview, what I'm proposing is to continue active support for LTI 1.0 and 1.1 for 12 months after our official announcement with another 12 months minimum where the related code will continue to live before actively removing it from Canvas. Based on this, we will actively support LTI 1.0 and 1.1 through at least the 2022 calendar year and this timeline will continue to extend out until we can officially commit to a timeline.

I hope this is helpful. 🙂

 

jsowalsk
Advocate

Thank you, that is extremely helpful @karl. How will this information/updates be communicated?

karl
Instructure
Instructure

I'll add an entry on The Product Blog page here in the community and we'll add this to our various release notes at minimum.

jsowalsk
Advocate

@karl Great, thank you.

JeremyShapiro
New Member

@karl Extremely helpful, thank you! Making sure I'm following, that's to say that at a minimum everything will keep working until December 2023 (assuming your proposal is followed):

  1. Canvas announces the plan this month (December)
  2. Active support for LTI 1.0 and 1.1 continues until 12/2022
  3. LTI 1.0 and 1.1 tools continue to function until Canvas takes steps to remove them starting not before 12/2023

Decent chance it's even later than that, but it certainly wouldn't be earlier. Is that accurate?

karl
Instructure
Instructure

@JeremyShapiro Yes this is correct, especially the emphasis on "minimum". I have one clarification for #3 in your example. After active support ends if something breaks in Canvas around LTI 1.0/1.1 the remediation recommended will most likely be for tools to move to 1.3. This code base is pretty stable, but it is possible for minor issues to surface in the follow 12 months after end of active support.

jsowalsk
Advocate

@karl Once you know when Instructure is ready to migrate to LTI 1.3 will this be in the Canvas release notes or how will we find out this information? To confirm, it won't be before 12/2023 right?

karl
Instructure
Instructure

@jsowalsk we do not plan to remove code for LTI v1.0 and v1.1 before 12/2023 from Canvas and once these timelines are officially established we will communicate these in the release notes with an associated product blog article.

In the meantime, we've had many of our LTI tool partners either develop or transition to LTI 1.3 and we will continue supporting our partner community in this effort.

jsowalsk
Advocate

Thank you, @karl!

jsowalsk
Advocate

@karl Any updates regarding LTI 1.3 and decommission of 1.1? http://www.imsglobal.org/lti-security-announcement-and-deprecation-schedule#