LTI, SAML, and Fedeated ID - Oh My! Chales Seveance, Ph.D. Stephen P Vickes IMS Global Leaning Consotium http://www.imsglobal.og/
Poblem Statement We need a way to align IMS Leaning Tools Inteopeability and SAML (o othe webbased SSO authentication system).
Use Case When an LMS is potected using an SSO and launches an extenal tool using LTI, we wish to communicate the SSO identity to the extenal tool; this enables: the extenal tool to connect the use_id value fom LTI with an SSO identity; the use to connect diectly to the extenal tool and log in using the SSO fo thei LMS.
Example Scenaio We have thee LMS's at thee schools, one potected using SAML, one potected using CAS, and one that has no SSO. They all connect to an extenal tool that suppots LTI, CAS and SAML, and has elationships with the appopiate SAML IDP and CAS Seve.
Scenaio Diagam lms.saml.edu lms.nada.edu lms.cas.edu mod_cas idp.saml.edu Seve idp.cas.edu Seve /launch tool.hypelti.com mod_cas
Essential Design Concept The LTI Launch is completely nomal poviding the standad within-lms data like use_id, ole, context_id, etc. If the LMS is potected using an SSO and the cuent use is logged in though the SSO, we add the type of SSO (SAML, CAS, etc) and the Identity Povide fo the SSO. The LTI launch does not include the SSO identity as thee is no way to do this eliably.
Design Fo Extenal Tool: 1 The extenal tool has an unpotected LTI launch URL to eceive LTI equests (/launch) The extenal tool has SSO-potected URLs fo all the Identity Povides and SSO types it has a elationship with (/cas_edu, /saml_edu)
Design fo Extenal Tool: 2 If the LTI launch URL eceives paametes including an SSO type and Identity Povide that it is capable of handling, it sets up the LTI data (use, couse, ole, etc.) in the session and fowads to the appopiate SSO-potected URL on its own seve. Since the use is aleady signed in via the SSO, they simply fall though with REMOTE_USER popely set.
Design fo Extenal Tool: 3 Unde the SSO-potected URL, the code knows the LTI use s couse and ole, as well as the Identity Povide and entepise identity. The tool can link all of these togethe within its data stuctues.
Design fo Extenal Tool: 4 Fom that point fowad, the tool can identify the use eithe: via an LTI launch though use_id; o though a diect login to an SSO-potected URL that povides REMOTE_USER
Log into LMS via SSO: 1 1 B o w s e 2 3 idp.saml.edu IDP /launch lms.saml.edu (1) Use accesses LMS (2) Rediected to IDP (3) IDP displays login page tool.hypelti.com
Log into LMS via SSO: 2 B o w s e saml_cookie 2 1 3 idp.saml.edu IDP /launch lms.saml.edu (1) Use submits login to IDP (2) IDP sets cookie and ediects to LMS (3) LMS displays page tool.hypelti.com
Launch extenal tool fom LMS: 1 B o w s e saml_cookie 1 2 use_id=12 sso_type=saml sso_idp=idp.saml.edu 3 idp.saml.edu IDP /launch lms.saml.edu (1) Use selects LTI tool (2) LMS sends signed LTI data fom to bowse (3) Bowse auto-submits data to LTI launch URL tool.hypelti.com
Launch extenal tool fom LMS: 2 B o w s e saml_cookie (1) Tool stoes the LTI launch data in a use session (2) Tool ediects to the URL (3) Bowse adds SAML cookie (4) Request passes though to tool, setting SAML identity 3 2 idp.saml.edu IDP /launch lms.saml.edu use_id=12 sso_type=saml sso_idp=idp.saml.edu 1 tool.hypelti.com emote_use=ause 4
Log into Extenal Tool via SSO: 1 lms.saml.edu B o w s e 1 3 2 idp.saml.edu IDP /launch (1) Use accesses tool diectly at SSOpotected URL (2) Rediected to IDP (3) IDP displays login page tool.hypelti.com
Log into Extenal Tool via SSO: 2 lms.saml.edu B o w s e 1 2 idp.saml.edu IDP /launch (1) Use submits login to IDP (2) IDP sets cookie and ediects to tool (3) Tool looks up use data based on SAML ID use_id=12 sso_type=saml sso_idp=idp.saml.edu tool.hypelti.com 3 emote_use=ause saml_cookie
Futhe Comments The model extends to multiple types of SSO povides and multiple identity povides pe SSO. It caefully avoids the LMS fowading the SSO identity, but instead povides a mechanism fo the tool to "add" the SSO identity to a session though a ediect. Tool povides may obtain additional attibutes about a use fom the IDP (e.g. telephone numbe).
Questions / Comments This is a daft poposal comments welcome