Overview
As of v2.5.2 and v2.6.0, SSP ships with an implementation of an IMS LTI v1.0 Tool Provider (TP). This allows for point-to-point, inbound SSO into SSP in much the same way as the legacy "Signed URL SSO" mechanism, but in a standards-compliant fashion. The LTI standard is so widely adopted that the SSP team expects LTI to quickly become SSP's most commonly used inbound SSO protocol for tool-to-tool integrations since it typically requires no custom code development.
This document describes the configuration process for enabling the TP and adding Tool Consumer (TC) profiles to it.
See here for a description of the technical implementation and more detail on the supported tool launch API.
Enabling the Tool Provider
The SSP LTI TP leverages SSP-Platform infrastructure originally built for the legacy "Signed URL SSO" mechanism. Platform protects that infrastructure by requiring non-embedded clients (such as SSP) to present a shared secret whenever invoking the newly shared API. This secret is set to the empty string by default, which effectively disables both the Signed URL SSO and LTI TP.
To set the secret on the Platform side, edit $SSP_CONFIGDIR/ssp-platform-config.properties:
environment.build.sso.local.sharedSecret=<some-value>
Set that same value on the SSP side by editing $SSP_CONFIGDIR/ssp-config.properties:
ssp_platform_sso_ticket_service_shared_secret=<some-value>
<some-value> needn't be terribly complex. Something similar to an ATM pin should be sufficient.
Configuring a Tool Consumer
Tool Consumer Configuration Step 1 - Navigate to "LTI Consumers" Admin Tool
To see data in this tool, the current user must have the API_KEY_READ permission. To change/add data, they need API_KEY_WRITE. Be conservative in granting these permissions, especially the latter, because it allows users to create "back doors" to the application via OAuth2 Client configuration.
Click the "Add" button to add a new LTI Consumer:
Tool Consumer Configuration Step 2 - Complete the LTI Consumer Creation Form
The Consumer Key field will actually be stored in the person.username column in the SSP database. As such:
- Expect the value you enter to be forced to lower case, and
- Be sure to pick a value which will not conflict with a "real" end user's username
The TC must know what it's Consumer Key is for the SSP TP. Because TP's are ultimately responsible for ensuring each real-world TC integrated with it has a unique Consumer Key, it is often up to the TP to specify to the TC what the Consumer Key should be. But this can be a collaborative process.
The Consumer Secret is also shared with and possible arrived at via negotiation with the TC. The SSP TP implementation enforces no strength restrictions on this field other than that it must be non-empty. But it should be at least as strong as whatever requirements are placed on end-user passwords and likely stronger than that, since it is used for establishing an application-to-application trust relationship that allows the TC to assume the identity of any user. Because of the nature of LTI security, this value must be stored in plain text in both the TP and TC.
Set the Lti User Id Field to the name of the LTI launch parameter in which the TC will send the end user's identifier SSP should use to look up the Platform user record to be authenticated. The correct value to place here may not be known until you start to experiment with the TC. (Most TC implementations offer some sort of mechanism for snooping on TP launch requests so you can see which launch parameters are being passed.)
Use the SSP User Attribute combo box to specify the type of end user identifier SSP should expect to receive from the TC, either username or schoolId.
Use the Lti Section Code Field to specify the LTI launch parameter in which the TC will uniquely identify the course in which the end user was present when she initiated the launch. If the launch URL in the TC is configured to target the Early Alert portlet, the values sent in this launch parameter must match values loaded into the section_code field in external_faculty_course and external_faculty_course_roster SSP database tables.
Many of the field in the form offer additional help when you hover over field labels.
Click 'Save' to create the LTI TC:
