What does the recent IMS LTI Deprecation and Security Update mean for Canvas users and integrations?

The content in this blog is over six months old, and the comments are closed. For the most recent product updates and discussions, you're encouraged to explore newer posts from Instructure's Product Managers.

jpoulos
Instructure Alumni
Instructure Alumni
40
15441

Recently, IMS Global announced the deprecation schedule of the LTI 1.0, 1.1, 1.2, and 2.0 specifications. Going forward, LTI Core version 1.3 (LTI 1.3) will be the recommended specification for new integrations and any integrations wishing to upgrade their LTI security framework. The LTI 1.3 specification has an enhanced Security Framework and also allows tools to layer on new services (LTI Advantage) for a deeper integration experience.

With the IMS announcement also comes a security update, LTI versions 1.0.2 and 1.1.2, for tools that do not wish to update to LTI 1.3. After reviewing the CSRF threat described in the IMS announcement with our security team, we agree with the IMS recommendation to upgrade to LTI Core version 1.3. Instructure has no current plans for supporting versions 1.0.2 and 1.1.2 in Canvas LMS. This decision was made in part because the work to support them for LTI integrations is nearly as resource intensive (for tool providers and platforms) as supporting LTI 1.3, which Canvas is already certified for.  If this is a concern, please reach out to your Instructure CSM or Partner Manager so we can discuss your concerns.

 

Some useful resources for adopting LTI 1.3 and LTI Advantage services are listed here:

From IMS:

  • LTI 1.3 and LTI Advantage Overview: Within this link you will find public documents outlining the core LTI 1.3 specification, Advantage service specifications, an implementation guide, and more.


From Instructure:

The content in this blog is over six months old, and the comments are closed. For the most recent product updates and discussions, you're encouraged to explore newer posts from Instructure's Product Managers.

40 Comments
ahui
Community Novice

It would be helpful to know of a tangible date or schedule for LTI1.3 to become the accepted format on Canvas and for LT11.2 to be out of support. Without a tangible schedule, instructors can't really know when to develop quizzes in the new format. 

Thanks in advance.

jpoulos
Instructure Alumni
Instructure Alumni
Author

 @ahui ‌ great points. Canvas currently accepts LTI 1.3 integrations and we are actively encouraging all new integrations to use LTI 1.3 when they ask for consultation. We will likely deprecate support for LTI 1.2 no less than 18 months after IMS deprecates that standard officially. We've got plenty of tools that Instructure owns that still need to migrate to LTI 1.3, so there is still some time before older versions will no longer be supported.

henry_ng
Community Novice

Hi All,

When Canvas and LTI vendors transition over to LTI 1.3, what implications does it have on institutions? Specifically, do we need to make changes (ie reconfigure LTI launches) or is this change behind the scenes between Canvas and LTI vendors?

Henry Ng

jpoulos
Instructure Alumni
Instructure Alumni
Author

 @henry_ng ‌ Good questions. The an LTI 1.3 integration will be completely separate from an integration using earlier version due to the huge difference in the security framwork. Older versions use OAuth 1.0a as an authentication mechanism, whereas an LTI 1.3 integration requires an OAuth2 Open ID Connect. For LTI 1.3, since a developer Key to be configure it (https://community.canvaslms.com/docs/DOC-16729-42141110178), there is not seamless upgrade path. It will require a fresh install to upgrade.

For a tool provider, this difference in security framework requires a major rewrite to how they handle LTI launches from an LMS, so the upgrade path is to create a new LTI app and keep the lights on the older versions until customers have time to install the new version in Canvas.

henry_ng
Community Novice

Hi Jesse,

Thank you for the response. So to sum this up, when a tool provider implments LTI 1.3, then we (as the institution) will need to re-setup the LTI configuration tool within our Canvas environment and management the transition. By managing the transition, a key component would be to enable the LTI 1.3 tool in each course, and disable/remove the LTI 1.1 tool as well. Did I get the gist of this?

Henry Ng  

jpoulos
Instructure Alumni
Instructure Alumni
Author

Yes. I should note: the tool can be deployed at the account, sub-account, or course level once the developer key is set up.

henry_ng
Community Novice

Hi Jesse,

Thank you for the clarification. I missed that step. I would imagine that a number of LTI tool providers would be deployed at the account level. What I meant was that once deployed at the account level, we'll still need a way to determine which course is using the tool and have that tool enabled in those courses. We don't want to have a tool enabled in a course where an instructor was not expecting their students to use. This is institution dependent and we'll figure out the best option to move forward. 

Henry Ng 

agarrett2
Community Novice

Will this impact homegrown LTIs that are also stand-alone applications and are added to courses with the External Tools API? Users authenticate to our custom applications with the same SSO used by our Canvas instance. The applications access Canvas data with the Canvas API.

karl
Instructure Alumni
Instructure Alumni

Amelia, I fully expect homegrown LTI tools will not be impacted for quite a long time. We haven't determined a deprecation schedule yet for our LTI v1.0 and v1.1 support in Canvas, but estimate it will be "many years" due to the number of tools using those standards in our ecosystem. However, having said this we strongly recommend tool vendors to evaluate the new standard and make plans to transition. As soon as we make a decision on a deprecation schedule, we'll provide communication out to our customers and partner community using blogs, emails, release notes, documentation, etc. to make sure the message gets out.

william_diehl
Community Novice

Can you clarify how LTI 1.1 user_id launch values are translated in LTI 1.3? We've been struggling with an incompatibility with LTI 1.3's Names and Roles roster membership user ids not being compatible with a large database of user_ids collected from a legacy LTI 1.1 user database. Not being able to match unique user ids between the two LTI versions (after Canvas switched to using a "global" user uuid rather than an instance specific user id) makes matching users against an LTI 1.1 database impossible.

Can you perhaps please implement the recommended legacy lti11_legacy_user_id field as recommended in the official LTI 1.3 migration guide here?

 

rohits_paktolus
Community Member

Hi,

 

I hope you are doing well.

 

Have you implemented an LTI advantage on canvas?

 

If yes then canvas support multiple deep links?

 

How to add custom parameters during resource creation? Is there any specific document for Deep link in LTI 1.3 in detail?

what are the limitations of LTI advantage in the canvas that you are facing?

 

Please guide me about this.

JamesSekcienski
Community Coach
Community Coach

Hello,

Are there any new updates on this?

Thanks,

James Sekcienski

adam_c_voyton
Community Participant

@jpoulos you mentioned that "We've got plenty of tools that Instructure owns that still need to migrate to LTI 1.3, so there is still some time before older versions will no longer be supported."

Do you happen to have a list of affected tools that are native to Canvas? Is New Quizzes one of them? 

karl
Instructure Alumni
Instructure Alumni

@adam_c_voyton Yes quizzes is one of these tools. Here's a list for reference:

  • Box
  • Chat
  • Commons
  • Google Hangouts Meet
  • Google Apps (not to be confused with Google Assignments LTI)
  • MasteryConnect
  • MS Teams Meetings
  • New Quizzes
  • Office 365 (Cloud Assignments)
  • Portfolium
  • Redirect Tool
  • Roll Call
  • Scorm
  • Studio
  • Twitter
  • Vimeo
  • Youtube
JeremyShapiro
Community Member
As soon as we make a decision on a deprecation schedule, we'll provide communication out to our customers and partner community using blogs, emails, release notes, documentation, etc. to make sure the message gets out.”

@karl @jpoulos Since that communication hasn't materialized, I'm inferring the schedule's not decided yet. Can we get a new "at least" date? For example, are we safe until at least January 2023? January 2024?

jsowalsk
Community Coach
Community Coach

@jpoulos have there been any updates on this? Is the date still next year on 6/30/22?

karl
Instructure Alumni
Instructure Alumni

@jsowalsk the date of 6/30/2022 was recommended by IMS. However, the Canvas ecosystem supports thousands of LTI 1.0 and 1.1 apps and that timeline isn't realistic for our partners, customers, various app developers and our own teams supporting LTI apps.

I'm still working on developing a realistic timeline where we can appropriately accommodate migration plans for our own LTI tools. I hope to officially communicate out this timeline as soon as possible. As a preview, what I'm proposing is to continue active support for LTI 1.0 and 1.1 for 12 months after our official announcement with another 12 months minimum where the related code will continue to live before actively removing it from Canvas. Based on this, we will actively support LTI 1.0 and 1.1 through at least the 2022 calendar year and this timeline will continue to extend out until we can officially commit to a timeline.

I hope this is helpful. 🙂

 

jsowalsk
Community Coach
Community Coach

Thank you, that is extremely helpful @karl. How will this information/updates be communicated?

karl
Instructure Alumni
Instructure Alumni

I'll add an entry on The Product Blog page here in the community and we'll add this to our various release notes at minimum.

jsowalsk
Community Coach
Community Coach

@karl Great, thank you.

JeremyShapiro
Community Member

@karl Extremely helpful, thank you! Making sure I'm following, that's to say that at a minimum everything will keep working until December 2023 (assuming your proposal is followed):

  1. Canvas announces the plan this month (December)
  2. Active support for LTI 1.0 and 1.1 continues until 12/2022
  3. LTI 1.0 and 1.1 tools continue to function until Canvas takes steps to remove them starting not before 12/2023

Decent chance it's even later than that, but it certainly wouldn't be earlier. Is that accurate?

karl
Instructure Alumni
Instructure Alumni

@JeremyShapiro Yes this is correct, especially the emphasis on "minimum". I have one clarification for #3 in your example. After active support ends if something breaks in Canvas around LTI 1.0/1.1 the remediation recommended will most likely be for tools to move to 1.3. This code base is pretty stable, but it is possible for minor issues to surface in the follow 12 months after end of active support.

jsowalsk
Community Coach
Community Coach

@karl Once you know when Instructure is ready to migrate to LTI 1.3 will this be in the Canvas release notes or how will we find out this information? To confirm, it won't be before 12/2023 right?

karl
Instructure Alumni
Instructure Alumni

@jsowalsk we do not plan to remove code for LTI v1.0 and v1.1 before 12/2023 from Canvas and once these timelines are officially established we will communicate these in the release notes with an associated product blog article.

In the meantime, we've had many of our LTI tool partners either develop or transition to LTI 1.3 and we will continue supporting our partner community in this effort.

jsowalsk
Community Coach
Community Coach

Thank you, @karl!

jsowalsk
Community Coach
Community Coach

@karl Any updates regarding LTI 1.3 and decommission of 1.1? http://www.imsglobal.org/lti-security-announcement-and-deprecation-schedule# 

jsowalsk
Community Coach
Community Coach

@karl Any updates regarding LTI 1.3 and decommission of 1.1? http://www.imsglobal.org/lti-security-announcement-and-deprecation-schedule# 

YoleneOrs
Community Member

@karl @jpoulos  is there any update on this ? If all tools need to have made the extensive redevelopment needed by end of next year they need to know now in order to plan for it 😕 Can you update us on the timeline ? Are you looking at December 2023 or later ?
Thanks,

jsowalsk
Community Coach
Community Coach

Second @YoleneOrs comment. @karl or @jpoulos any update?

AlexisNast
Instructure
Instructure

Hi @jsowalsk and @YoleneOrs ! I'm the new Product Manager (as of January) working on the LTI endpoints. Sorry there hasn't been more communication on this topic! We do not have a projected end date for 1.1 in Canvas. We are working to improve our 1.3 offerings to the point where tools will choose to switch over to them. Once we make a decision on a deprecation date for 1.1 we will give 12 months notice before we stop supporting 1.1 so that tools and schools have plenty of time to transition over. After that initial 12 months of support we anticipate another 12 months where the endpoints will still be available but not actively supported. I hope this helps to clarify things, and if you have any additional questions please let me know!

jsowalsk
Community Coach
Community Coach

Thank you @AlexisNast. Where will this be communicated?

SarahBlanton
Community Participant

Just wondering, also, how you plan to handle all the apps in the EduAppCenter? 

jsowalsk
Community Coach
Community Coach

Second @SarahBlanton's comment.

AlexisNast
Instructure
Instructure

Good questions! @jsowalsk we'll communicate via blog post as well as through our release notes and deprecation notices. We'll also let our Partnerships team know so that they can work with partner apps directly. I am not sure yet, but I'm hoping we can also put a notice in Canvas on either the apps install page or the dev keys page. If you have other ideas of places you think the notice would be helpful to post, please let me know, we definitely want to make sure everyone has as much notice as possible once the decision is made so that nobody is caught off guard.

As for the EduAppCenter, @SarahBlanton, as apps transition from 1.1 to 1.3 we'll start investigating future plans for it. As of today, however, it will continue to be supported as-is. 

jsowalsk
Community Coach
Community Coach

@AlexisNast What about sending an email to account admins about this as another way of communication? For the eduappcenter, do you mean it will be up to the applications to choose whether or not they move to 1.3 or how will this be handled?

matthew_buckett
Community Contributor

@AlexisNast With EduAppCenter only supporting LTI 1.1, are there any plans to add support for Learning Tools Interoperability (LTI) Dynamic Registration (https://www.imsglobal.org/spec/lti-dr/v1p0/) to Canvas and then to allow LTI 1.3 apps to integrate through EduAppCenter using dynamic registration?

AlexisNast
Instructure
Instructure

@jsowalsk We will coordinate with the CSM team to work with getting the word out to account admins. For now, there is no plan to support 1.3 apps within Edu App Center. Installations will need to be handled separately for now.

@matthew_buckett We're very interested in Dynamic Registration and it's high on my list of priorities. That said, I can't yet provide a definite timeline for delivery. Our work on cookieless launches will take priority over this work however, so look for that as the next major LTI work from Canvas.

jsowalsk
Community Coach
Community Coach

@AlexisNast What do you mean by seperately? Install LTIs outside the eduappcenter?

AlexisNast
Instructure
Instructure

@jsowalsk That's correct. LTI 1.3 tools are installed by adding a Developer Key in admin settings and then using the client ID generated for the Dev Key to install the tool. The steps on how to do this are documented here

jsowalsk
Community Coach
Community Coach

Ok, thank you. So to confirm, all tools within the eduappcenter will be 1.1? Will they ever be upgraded to 1.3?