Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72745

LTI: Provide account provisioning options for LTI Advantage launches

    XMLWordPrintable

Details

    • MOODLE_400_STABLE
    • MDL-72745-master
    • Hide

      Setup

      1. Create two Moodle sites running master, called:
        • Platform
        • Tool
      2. In the tool site, login as admin
      3. Edit your profile picture and upload something recognisable
      4. Create a course with a single assignment called "Assignment 1"
      5. Enrol the following users into the course with the respective roles:
        • t1 editingteacher
        • t2 editingteacher
      6. Go to "Site administration > Security > HTTP security" and:
        • Set 'allowframembedding' to true
        • Leave empty the curlsecurityblockedhosts field (to permit localhost-to-localhost calls)
      7. Enable the auth_lti and enrol_lti plugins via authentication and enrolments respectively
      8. Go to Site admin > Plugins > Enrolments > Publish as LTI tool > Tool registration
      9. Generate a new registration URL using the button
      10. Copy the registration URL to clipboard using the relevant icon
      11. Now, in the platform site, login as admin
      12. Create a single course - we'll use this later.
      13. Enrol the following users into the course with the respective roles:
        • t1, editingteacher
        • t2, editingteacher
        • s1, student
        • s2, student
      14. Edit your profile picture and upload something recognisable but different to the profile picture used in the tool site admin account (the one you set just above)
      15. Go to "Site administration > Security > HTTP security" and leave empty the curlsecurityblockedhosts field (this impacts localhost:localhost communications we'll need for testing)
      16. Go to Site admin > Plugins > Activity plugins > External tool > Manage tools
      17. Paste the copied registration URL and click "Add LTI Advantage tool"
      18. When the registration completes and you can see the tool tile, edit the tool configuration
      19. Set the following:
        • Set "Tool configuration usage" to "Show in activity chooser and as a preconfigured tool"
        • Set "Share launcher's name with the tool" to "Delegate to teacher"
        • Set "Share launcher's email with the tool" to "Delegate to teacher"
      20. Save the form
      21. Click the activate button in the tile to activate the tool.

      Test publishing resources using the new provisioning modes

      1. In the tool site, login as an admin/teacher
      2. Go to the course
      3. Go to Course admin > Published as LTI tools
      4. Under the LTI Advantage tab, click 'Add' to publish a resource
      5. Verify that the "Teacher first launch provisioning mode" form field is present and set to "Existing and new accounts (prompt)"
      6. Verify that the "Student first launch provisioning mode" form field is present and set to "New accounts only (automatic)"
      7. Verify there are 3 options in the dropdown for each of the above form fields.
      8. Under 'tool to be published', select the assignment
      9. Set 'Custom instance name' to 'LTI Advantage Assignment'
      10. Expand 'User default values' fieldset and set the following form field values:
        • Set "City/town" to "Perth"
        • Set "Country" to "Australia"
        • Set "Timezone" to "Australia/Perth"
        • Set "Institution" to "My test institution"
      11. Save the form
      12. Now, edit the published resource and Verify the provisioning mode form fields are set to the same values as above.
      13. Cancel the edit to return to the listing
      14. Click the "Legacy LTI (1.1/2.0)" tab
      15. Click "Add"
      16. Verify the "LTI version" form field is set to "Legacy LTI (1.1/2.0)"
      17. Verify you do not see the "Teacher first launch provisioning mode" or "Student first launch provisioning mode" form fields
      18. Now log out of the tool site, but leave this tab on the site login page. We'll use this in a moment or two.

      Test deep link launches using the new provisioning mode

      1. In another tab, log in to the platform site as admin
      2. Go to the course you created during setup
      3. Click to add an activity or resource and select "Moodle" (the tool you created during the setup)
      4. When the edit form loads, click the "Select content" button
      5. Verify that the modal presents you with a welcome view listing a single option for account provisioning: "Link an existing account"
      6. Verify that you see a notice stating that you need to be authenticated with the tool site in order to link accounts.
      7. Close the modal
      8. Now, back in the Tool site tab, log in as the admin user.
      9. Now, back in the Platform site, again click "Select content"
      10. Verify you now see the same option presented but that instead of seeing a notice about being authenticated, you see your account details (firstname, surname, email, picture)
      11. Click "Link this account"
      12. Verify you see a confirmation view letting you know your account has been linked successfully.
      13. Click "Continue"
      14. Verify you are now taken to the content selection view, where you can see the single published resource.
      15. Close the modal
      16. Click 'Select content' again
      17. Verify that you don't see the account options view this time and are instead taken directly to the content selection view again - where a single published resource is again visible.
      18. Select the resource, with or without grades (doesn't matter for this test) and click "Add content"
      19. When the modal closes, expand the "Privacy" fieldset
      20. Check both "Share launcher's name with the tool" and "Share launcher's email with the tool"
      21. Now save the activity by clicking "Save and return to course"
      22. Now launch the activity by clicking it
      23. Verify that you're taken straight in to the assignment, without any prompts for account linking.
      24. Go to the tool tab and log out of the tool (just hit SITE/login/index.php and log out)

      Test instructor resource link launch using the new provisioning modes

      1. Now, in the platform, go to the course where you just created the External tool activity (it will be called "Assignment 1"
      2. Click "Assignment 1" to launch the LTI Activity
      3. Verify you can see the assignment launched and that the embedded frame shows the profile picture of the tool site admin account (i.e. the profile picture has not been updated)
      4. Go to the tool tab and log out of the tool (just hit SITE/login/index.php and log out)

      Test instructor resource link first launch: Link existing account

      1. In the platform, log out.
      2. Log in as user t1 and go to the course
      3. Click the "Assignment 1" LTI activity to launch it
      4. Verify you are presented with two options for account binding:
        • Link existing account
        • Create new account
      5. Verify that you see a notice stating that you need to be authenticated with the tool site in order to link accounts.
      6. In the tool tab, log in as the user t1.
      7. Now, back in the platform tab, refresh the page (or relaunch "Assignment 1")
      8. Verify you now see the same option presented but that instead of seeing a notice about being authenticated, you see your account details (firstname, surname, email, picture)
      9. Click "Link this account"
      10. Verify you see a confirmation view letting you know your account has been linked successfully.
      11. Click "Continue"
      12. Verify you are now taken to the assignment
      13. Launch the assignment again, or reload the page
      14. Verify you're taken right to the assignment this time, without being prompted about account binding options.
      15. In the tool tab, log out.
      16. In the tool tab, log in as admin and go to Site admin > Users > Browse list of users
      17. Search for user 't1'
      18. Verify there is only one t1 user present and the last access was recently
      19. Click the user 't1' and go to "Edit profile"
      20. Verify the auth method is "Manual accounts"
      21. Log out of the tool.
      22. In the platform site, log out

      Test instructor resource link first launch: Create new account

      1. Log in as user t2 on the platform site and go to the course
      2. Click "Assignment 1" to launch the LTI activity
      3. Verify you are presented with two options for account binding:
        • Link existing account
        • Create new account
      4. Click "Create an account for me"
      5. Verify you see a notice stating that your account has been created and is ready to use.
      6. Click "Continue"
      7. Verify you are now taken to the assignment
      8. Launch the assignment again, or reload the page
      9. Verify you're taken right to the assignment this time, without being prompted about account binding options.
      10. In the tool tab, log out
      11. Log in as the admin and go to Site admin > Users > Browse list of users
      12. Search for the name of the PLATFORM user 't2' (not the tool user!). You may need to check the name of the user t2 on the platform first.
      13. Verify you see an account and that the last access time is fairly recent
      14. Click the user and go to "Edit profile"
      15. Verify the following:
        • Firstname matches that of the user 't2' on the platform
        • Surname matches that of the user 't2' on the platform
        • Email matches that of the user 't2' on the platform
        • Username is something like "enrol_lti_13_xxxxxxxxxxxx"
        • Auth method is set to "LTI"
      16. Now, search for the TOOL user 't2' (not the platform user).
      17. View this person's profile
      18. Verify the auth method is listed as "Manual accounts"
      19. Log out of the platform site
      20. Log out of the tool site

      Test Student resource link first launch: Auto provision account

      1. In the platform site, log in as the student 's1'
      2. Go to the course
      3. Click "Assignment 1" to launch the LTI activity
      4. Verify you're taken straight in to the activity without any prompting
      5. Now, in the tool tab, log out
      6. Log in to the tool as the admin user and go to Site admin > Browse list of users
      7. Search for the PLATFORM user 's1'. You may need to check the name of the user s1 on the platform first.
      8. Verify you see an account and that the last access time is fairly recent
      9. Click the user and go to "Edit profile"
      10. Verify the following:
        • Firstname matches that of the user 's1' on the platform
        • Surname matches that of the user 's1' on the platform
        • Email matches that of the user 's1' on the platform
        • Username is something like "enrol_lti_13_xxxxxxxxxxxx"
        • Auth method is set to "LTI"
      11. Log out of the tool
      12. Log out of the platform

      Test changing provisioning mode for a role

      1. Log in to the tool site as the admin user
      2. Now, go to the tool course
      3. Go to Course admin > Published as LTI tools
      4. Edit the "Assignment 1" published resource
      5. Change the "Student first launch provisioning mode" field to "Existing and new accounts (prompt)"
      6. Save the form
      7. Log out of the tool site
      8. Log in to the platform site as the student 's2'
      9. Go to the course
      10. Click "Assignment 1" to launch the LTI activity
      11. Verify you are presented with two options for account binding:
        • Link existing account
        • Create new account
      12. Verify that you see a notice stating that you need to be authenticated with the tool site in order to link accounts.
      13. Leave the platform tab
      14. In the tool site tab, log in to the tool site as the admin user
      15. Go to Course admin > Published as LTI tools
      16. Edit the "Assignment 1" published resource
      17. Change the "Student first launch provisioning mode" field to "Existing accounts only (prompt)"
      18. Save the form
      19. Log out of the tool site
      20. In the platform tab, relaunch "Assignment 1" or reload the page
      21. Verify that you are presented with a welcome view listing a single option for account provisioning: "Link an existing account"
      22. Verify that you see a notice stating that you need to be authenticated with the tool site in order to link accounts.
      23. Log out of the platform site
      24. Log out of the tool site

      Test with authpreventaccountcreation enabled

      1. Log in to the tool site as an admin
      2. Now, go to the tool course
      3. Go to Course admin > Published as LTI tools
      4. Edit the "Assignment 1" published resource
      5. Change the "Student first launch provisioning mode" field to "Existing and new accounts (prompt)"
      6. Save the form
      7. Now go to site admin and search for 'authpreventaccountcreation'
      8. Set this to true (check the box) and save.
      9. Log out of the tool site
      10. Log in to the platform site as the student 's2'
      11. Go to the course
      12. Click "Assignment 1" to launch the LTI activity
      13. Verify that you are presented with a welcome view listing a single option for account provisioning: "Link an existing account"
      14. Verify that you see a notice stating that you need to be authenticated with the tool site in order to link accounts.
      15. Log in to the tool site and undo the changes to 'authpreventaccountcreation' by unchecking that option and saving.
      Show
      Setup Create two Moodle sites running master, called: Platform Tool In the tool site, login as admin Edit your profile picture and upload something recognisable Create a course with a single assignment called "Assignment 1" Enrol the following users into the course with the respective roles: t1 editingteacher t2 editingteacher Go to "Site administration > Security > HTTP security" and: Set 'allowframembedding' to true Leave empty the curlsecurityblockedhosts field (to permit localhost-to-localhost calls) Enable the auth_lti and enrol_lti plugins via authentication and enrolments respectively Go to Site admin > Plugins > Enrolments > Publish as LTI tool > Tool registration Generate a new registration URL using the button Copy the registration URL to clipboard using the relevant icon Now, in the platform site, login as admin Create a single course - we'll use this later. Enrol the following users into the course with the respective roles: t1, editingteacher t2, editingteacher s1, student s2, student Edit your profile picture and upload something recognisable but different to the profile picture used in the tool site admin account (the one you set just above) Go to "Site administration > Security > HTTP security" and leave empty the curlsecurityblockedhosts field (this impacts localhost:localhost communications we'll need for testing) Go to Site admin > Plugins > Activity plugins > External tool > Manage tools Paste the copied registration URL and click "Add LTI Advantage tool" When the registration completes and you can see the tool tile, edit the tool configuration Set the following: Set "Tool configuration usage" to "Show in activity chooser and as a preconfigured tool" Set "Share launcher's name with the tool" to "Delegate to teacher" Set "Share launcher's email with the tool" to "Delegate to teacher" Save the form Click the activate button in the tile to activate the tool. Test publishing resources using the new provisioning modes In the tool site, login as an admin/teacher Go to the course Go to Course admin > Published as LTI tools Under the LTI Advantage tab, click 'Add' to publish a resource Verify that the "Teacher first launch provisioning mode" form field is present and set to "Existing and new accounts (prompt)" Verify that the "Student first launch provisioning mode" form field is present and set to "New accounts only (automatic)" Verify there are 3 options in the dropdown for each of the above form fields. Under 'tool to be published', select the assignment Set 'Custom instance name' to 'LTI Advantage Assignment' Expand 'User default values' fieldset and set the following form field values: Set "City/town" to "Perth" Set "Country" to "Australia" Set "Timezone" to "Australia/Perth" Set "Institution" to "My test institution" Save the form Now, edit the published resource and Verify the provisioning mode form fields are set to the same values as above. Cancel the edit to return to the listing Click the "Legacy LTI (1.1/2.0)" tab Click "Add" Verify the "LTI version" form field is set to "Legacy LTI (1.1/2.0)" Verify you do not see the "Teacher first launch provisioning mode" or "Student first launch provisioning mode" form fields Now log out of the tool site, but leave this tab on the site login page. We'll use this in a moment or two. Test deep link launches using the new provisioning mode In another tab, log in to the platform site as admin Go to the course you created during setup Click to add an activity or resource and select "Moodle" (the tool you created during the setup) When the edit form loads, click the "Select content" button Verify that the modal presents you with a welcome view listing a single option for account provisioning: "Link an existing account" Verify that you see a notice stating that you need to be authenticated with the tool site in order to link accounts. Close the modal Now, back in the Tool site tab, log in as the admin user. Now, back in the Platform site, again click "Select content" Verify you now see the same option presented but that instead of seeing a notice about being authenticated, you see your account details (firstname, surname, email, picture) Click "Link this account" Verify you see a confirmation view letting you know your account has been linked successfully. Click "Continue" Verify you are now taken to the content selection view, where you can see the single published resource. Close the modal Click 'Select content' again Verify that you don't see the account options view this time and are instead taken directly to the content selection view again - where a single published resource is again visible. Select the resource, with or without grades (doesn't matter for this test) and click "Add content" When the modal closes, expand the "Privacy" fieldset Check both "Share launcher's name with the tool" and "Share launcher's email with the tool" Now save the activity by clicking "Save and return to course" Now launch the activity by clicking it Verify that you're taken straight in to the assignment, without any prompts for account linking. Go to the tool tab and log out of the tool (just hit SITE/login/index.php and log out) Test instructor resource link launch using the new provisioning modes Now, in the platform, go to the course where you just created the External tool activity (it will be called "Assignment 1" Click "Assignment 1" to launch the LTI Activity Verify you can see the assignment launched and that the embedded frame shows the profile picture of the tool site admin account (i.e. the profile picture has not been updated) Go to the tool tab and log out of the tool (just hit SITE/login/index.php and log out) Test instructor resource link first launch: Link existing account In the platform, log out. Log in as user t1 and go to the course Click the "Assignment 1" LTI activity to launch it Verify you are presented with two options for account binding: Link existing account Create new account Verify that you see a notice stating that you need to be authenticated with the tool site in order to link accounts. In the tool tab, log in as the user t1. Now, back in the platform tab, refresh the page (or relaunch "Assignment 1") Verify you now see the same option presented but that instead of seeing a notice about being authenticated, you see your account details (firstname, surname, email, picture) Click "Link this account" Verify you see a confirmation view letting you know your account has been linked successfully. Click "Continue" Verify you are now taken to the assignment Launch the assignment again, or reload the page Verify you're taken right to the assignment this time, without being prompted about account binding options. In the tool tab, log out. In the tool tab, log in as admin and go to Site admin > Users > Browse list of users Search for user 't1' Verify there is only one t1 user present and the last access was recently Click the user 't1' and go to "Edit profile" Verify the auth method is "Manual accounts" Log out of the tool. In the platform site, log out Test instructor resource link first launch: Create new account Log in as user t2 on the platform site and go to the course Click "Assignment 1" to launch the LTI activity Verify you are presented with two options for account binding: Link existing account Create new account Click "Create an account for me" Verify you see a notice stating that your account has been created and is ready to use. Click "Continue" Verify you are now taken to the assignment Launch the assignment again, or reload the page Verify you're taken right to the assignment this time, without being prompted about account binding options. In the tool tab, log out Log in as the admin and go to Site admin > Users > Browse list of users Search for the name of the PLATFORM user 't2' (not the tool user!). You may need to check the name of the user t2 on the platform first. Verify you see an account and that the last access time is fairly recent Click the user and go to "Edit profile" Verify the following: Firstname matches that of the user 't2' on the platform Surname matches that of the user 't2' on the platform Email matches that of the user 't2' on the platform Username is something like "enrol_lti_13_xxxxxxxxxxxx" Auth method is set to "LTI" Now, search for the TOOL user 't2' (not the platform user). View this person's profile Verify the auth method is listed as "Manual accounts" Log out of the platform site Log out of the tool site Test Student resource link first launch: Auto provision account In the platform site, log in as the student 's1' Go to the course Click "Assignment 1" to launch the LTI activity Verify you're taken straight in to the activity without any prompting Now, in the tool tab, log out Log in to the tool as the admin user and go to Site admin > Browse list of users Search for the PLATFORM user 's1'. You may need to check the name of the user s1 on the platform first. Verify you see an account and that the last access time is fairly recent Click the user and go to "Edit profile" Verify the following: Firstname matches that of the user 's1' on the platform Surname matches that of the user 's1' on the platform Email matches that of the user 's1' on the platform Username is something like "enrol_lti_13_xxxxxxxxxxxx" Auth method is set to "LTI" Log out of the tool Log out of the platform Test changing provisioning mode for a role Log in to the tool site as the admin user Now, go to the tool course Go to Course admin > Published as LTI tools Edit the "Assignment 1" published resource Change the "Student first launch provisioning mode" field to "Existing and new accounts (prompt)" Save the form Log out of the tool site Log in to the platform site as the student 's2' Go to the course Click "Assignment 1" to launch the LTI activity Verify you are presented with two options for account binding: Link existing account Create new account Verify that you see a notice stating that you need to be authenticated with the tool site in order to link accounts. Leave the platform tab In the tool site tab, log in to the tool site as the admin user Go to Course admin > Published as LTI tools Edit the "Assignment 1" published resource Change the "Student first launch provisioning mode" field to "Existing accounts only (prompt)" Save the form Log out of the tool site In the platform tab, relaunch "Assignment 1" or reload the page Verify that you are presented with a welcome view listing a single option for account provisioning: "Link an existing account" Verify that you see a notice stating that you need to be authenticated with the tool site in order to link accounts. Log out of the platform site Log out of the tool site Test with authpreventaccountcreation enabled Log in to the tool site as an admin Now, go to the tool course Go to Course admin > Published as LTI tools Edit the "Assignment 1" published resource Change the "Student first launch provisioning mode" field to "Existing and new accounts (prompt)" Save the form Now go to site admin and search for 'authpreventaccountcreation' Set this to true (check the box) and save. Log out of the tool site Log in to the platform site as the student 's2' Go to the course Click "Assignment 1" to launch the LTI activity Verify that you are presented with a welcome view listing a single option for account provisioning: "Link an existing account" Verify that you see a notice stating that you need to be authenticated with the tool site in order to link accounts. Log in to the tool site and undo the changes to 'authpreventaccountcreation' by unchecking that option and saving.
    • 1
    • Navigation push 8, Navigation push 9, Navigation push 10, Navigation push 11, Navigation push 13

    Description

      This one is part bug and part planned improvement to solve said bug. It's a must fix 4.0 issue as instructors will almost certainly run into this problem without a process in place to handle it.

      The bug occurs only for users allowed to perform both types of launches: deep linking (content selection) and resource link launches (launching a shared module in the tool). I.e. Admins and instructors are affected.

      Description of the problem:

      When the instructor makes a deep link launch, they must be authenticated with the tool site. This is so that we can find content which they have the capability to see (shared in courses where they both have access and can share content themselves). The instructor will thus log in to their preexisting account on the tool site. Let's call this one the 'real' account. So, the user logs in and can browser a selection of resources to use. All fine so far.

      Once the user selects a resource (or several) and sets up some resource links (these are the mod_lti instances in a Moodle platform), they probably want to launch said resource to see what the view looks like, etc. THIS is where the problem arises. Because of the way the enrol_lti code works now, they will be logged in as a user account which belongs to the auth_lti auth method, and which IS NOT their 'real' account. Let's call this one the 'lti' account. So, we have 'real' and 'lti' accounts in the tool site.

      Now, let's assume the user goes back to add some more content and performs another deep linking launch. This time, since they're already authenticated as the 'lti' user, they'll be allowed to view the content listing, but it will be empty because that 'lti' user doesn't have the necessary caps to see the published content. The instructor will have no idea what's happened and will create a bug report or a forum post.

      What we want is for the same account to be used when launching as an instructor, whether that be a deep linking launch or a resource link launch. Some instructors will have an existing tool account and will want to link that. Other instructors may only be given access to certain published resources, such as if they're emailed the launch URL and uuid of the resource. These users will want to have an account auto-provisioned for them as they will not necessarily have an existing account on the tool.

      Solution

      The solution to this problem is to provide an account binding (or "Linked login" to use existing Moodle terminology) which would essentially link the platform user (identified by their LTI launch credentials) with the respective user in the tool site. The way this would be achieved is via a one-time prompt for instructors when launching for the first time. They will be asked what they'd like to do and can select from two options:

      1. Create a new account - have the Moodle tool site automatically provision an LTI account for me
      2. Use an existing account - the user can log in with their preferred account.

      Regardless of which option the user chooses, it will result in the creation of an LTI Linked Login on the tool site, allowing us to find this user in future during any launch as part of authenticating them.

      This change must not impact student/learner launches. Student accounts in the tool will remain auto-provisioned for the time being.

      This change must also take into account migrated tools (those tools being launched with a valid LTI migration claim). We need to carefully document how instructor launches will behave in such cases as:
      a) when migration claim is sent and a preexisting user was found
      b) when migration claim was sent and there was no preexisting user found (i.e. the teacher is a new user to the tool)

      Attachments

        Issue Links

          blocks

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. MDL-69542 LTI: Update tool provider feature to support 1.3

          • Minor - Minor loss of function where workaround is possible
          • Closed
          will help resolve

          Improvement - An enhancement to an existing Moodle feature. MDL-57345 LTI enrolment should auto detect if the consumer and provider are same site and re-use accounts

          • Critical - Crashes server, loss of data, severe memory leak
          • Reopened

          Activity

            People

              jaked Jake Dallimore
              jaked Jake Dallimore
              Mihail Geshoski Mihail Geshoski
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 weeks, 2 minutes
                  3w 2m