Thanks to Matthew Buckett for this post. Updated 26th Oct 2012 – the username is now passed via ext_sakai_provider_displayid
IMS Basic LTI
Basic LTI allows external tools to be integrated into an existing application such as a VLE. These application can be hosted outside of the VLE and once Basic LTI integration has been done any application that supports Basic LTI can integrate with them.
From a technical point of view Basic LTI can be thought of as an automatic account provisioning and login mechanism. The process of sending this single request is called a Basic LTI launch.
For WebLearn an application integrated with basic LTI appears as a tool in a site. When the user clicks on this tool they sent to the external application. To integrate an external application it needs to support Basic LTI, an implementers guide is available at http://www.imsglobal.org/lti/blti/bltiv1p0/ltiBLTIimgv1p0.html which details how to implement basic LTI. There is also a Sakai guide at: https://source.sakaiproject.org/svn/basiclti/trunk/basiclti-docs/resources/docs/sakai_basiclti_api.doc
To cut a long story short, WebLearn builds a page with a <FORM> in it and that submits it to the launch URL of the external tool’s. Data about the current user and context are encoded as hidden fields in the form.
<form action="http://dr-chuck.com/ims/php-simple/tool.php"
name="ltiLaunchForm" id="ltiLaunchForm" method="post"
encType="application/x-www-form-urlencoded">
<input type="hidden" name="oauth_version" value="1.0"/>
<input type="hidden" name="oauth_nonce" value="c8350c0e47782d16d2fa48b2090c1d8f"/>
<input type="hidden" name="oauth_timestamp" value="1251600739"/>
<input type="hidden" name="oauth_consumer_key" value="12345"/>
<input type="hidden" name="resource_link_id" value="120988f929-274612"/>
<input type="hidden" name="user_id" value="292832126"/>
<input type="hidden" name="roles" value="Instructor"/>
<input type="hidden" name="lis_person_name_full" value="Jane Q. Public"/>
<input type="hidden" name="lis_person_contact_email_primary" value="user@school.edu"/>
<input type="hidden" name="lis_person_sourced_id" value="school.edu:user"/>
<input type="hidden" name="context_id" value="456434513"/>
<input type="hidden" name="context_title" value="Design of Personal Environments"/>
<input type="hidden" name="context_label" value="SI182"/>
<input type="hidden" name="lti_version" value="LTI-1p0"/>
<input type="hidden" name="lti_message_type" value="basic-lti-launch-request"/>
<input type="hidden" name="tool_consumer_instance_guid" value="lmsng.school.edu"/>
<input type="hidden" name="tool_consumer_instance_description" value="University of School (LMSng)"/>
<input type="submit" name="basiclti_submit" value="Launch Endpoint with BasicLTI Data"/>
<input type="hidden" name="oauth_signature_method" value="HMAC-SHA1"/>
<input type="hidden" name="oauth_callback" value="about:blank"/>
<input type="hidden" name="oauth_signature" value="TPFPK4u3NwmtLt0nDMP1G1zG30U="/>
<input type="hidden" name="ext_sakai_provider_displayid" value="oucs0000"/>
</form>
The receiving tool (in this case, at drchuck.com/…) then has to process this request, check the signature, create any local user account, set up the session, log the user in and return the first page of the application.
Note that the username is now available via ext_sakai_provider_displayid
Security
There is one issue to note: Basic LTI tool allows details of users to be sent to a 3rd party site, this could be a publisher or social networking site. Since personal details (such as name and email) of everyone who uses the tool may be forwarded, this means that it is imperative that the 3rd party is trustworthy and has undertaken not to use these details in an unacceptable way.
