LTI Integration Guide

The B12 SIS supports LTI (Learning Tools Interoperability) 1.3 for secure integration with Canvas and other LMS platforms.

Overview

LTI 1.3 enables:

  • Secure launch from LMS to SIS

  • Single sign-on via OIDC

  • Grade passback to LMS

  • Deep linking to specific content

Configuration

Environment Variables

LTI_ISSUER=https://sis.yourschool.edu
LTI_CLIENT_ID=your-client-id
LTI_DEPLOYMENT_ID=your-deployment-id
LTI_PLATFORM_URL=https://canvas.yourschool.edu
LTI_AUTH_URL=https://canvas.yourschool.edu/api/lti/authorize_redirect
LTI_TOKEN_URL=https://canvas.yourschool.edu/login/oauth2/token
LTI_JWKS_URL=https://canvas.yourschool.edu/api/lti/security/jwks

LTI Endpoints

OIDC Configuration

GET /api/lti/.well-known/openid-configuration

Returns OIDC discovery document.

JWKS (JSON Web Key Set)

GET /api/lti/.well-known/jwks.json

Returns public keys for JWT verification.

Authorization

GET/POST /api/lti/authorize

Handles OIDC authorization flow.

Launch

POST /api/lti/launch/:clientid

Processes LTI launch request and redirects to SIS.

Canvas Setup

1. Create Developer Key

In Canvas Admin:

  1. Go to Developer Keys

  2. Create new LTI Key

  3. Configure:

    • Target Link URI: https://sis.yourschool.edu/api/lti/launch

    • OpenID Connect Initiation URL: https://sis.yourschool.edu/api/lti/authorize

    • JWK Method: Public JWK URL

    • Public JWK URL: https://sis.yourschool.edu/api/lti/.well-known/jwks.json

2. Install in Course/Account

  1. Go to Settings > Apps

  2. Add App

  3. Select “By Client ID”

  4. Enter the Developer Key client ID

Launch Flow

Canvas                    SIS
   │                       │
   │ 1. Initiate Login     │
   │───────────────────────▶
   │                       │
   │ 2. Auth Request       │
   │◀───────────────────────
   │                       │
   │ 3. Auth Response      │
   │───────────────────────▶
   │                       │
   │ 4. Validate & Launch  │
   │◀───────────────────────
   │                       │

Security

  • All tokens signed with RS256

  • Nonce validation prevents replay attacks

  • State parameter ensures request integrity

  • HTTPS required for all endpoints

Troubleshooting

Issue

Solution

Invalid signature

Check JWKS URL is accessible

State mismatch

Clear cookies and retry

Client not found

Verify client ID in LTI connection

Token expired

Check system clocks are synchronized

See docs/LTI_IMPLEMENTATION.md for detailed technical documentation.