User Provisioning

Many external tools will need to know which users are enrolled in a course and their roles. The approaches to this are varied depending on the version of LTI used and sometimes a single approach is not sufficient for all the use cases a tool might be interested in. Here, we outline several different approaches:

LTI Advantage: Names and Role Provisioning Service

The IMS Names and Role Provisioning Service (NRPS) provides an efficient API for synchronizing course rosters. This capability is only available to LTI 1.3 tools. We will not discuss details of the specification here, but instead focus on configuring and using NRPS within the Canvas platform.

Configuring

Before NRPS can be used, an LTI Developer Key must be created and enabled with the https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly scope. Next, the external tool must be installed in, or above, the context of the course that needs to be provisioned.

Authenticating

As with the other LTI Advantage service, tools must complete a specific OAuth2 client credentials grant in order to obtain an access token. This access token works for any course that the tool is available in. A single token can be used for multiple courses and services.

Using NRPS

Once an access token is obtained, tools may begin to synchronize data using NRPS. Using endpoint require knowledge of the context_memberships_url, which can either be obtained during the LTI launch in the Names and Role Service claim, or by substituting the desired course_id/group_id in the Names and Role API.

Advantages

Limitations/Challenges

Workflow

Note: Once a single launch has happened from a course, the tool has enough information to use NRPS at any time and get info about all the users.

Provisioning during launch

Configuring

This approach requires an LTI integration (any version) to be configured and visible somewhere within a Canvas course. Ideally, this LTI connection will already have an LTI SSO mechanism. If username, login ID, email, and/or SIS ID is required, make sure the privacy level is set to Public in the tool configuration. Otherwise, Canvas will only send an opaque LTI user id (as the user_id parameter) and a Canvas ID (as the custom_canvas_user_id).

Advantages

Limitations/Challenges

Instructor/Admin/Student Workflow

Supplemental Provisioning via API

In the event that the LTI standard alone is not enough to satisfy your tool's provisioning needs, Canvas has an open REST API and a data service ( Canvas Data). Using the API or Canvas Data can help overcome some of the limitations of LTI-only integrations, but they have their own challenges. Where possible, tools should try to avoid using services that are not part of the LTI standards unless it is absolutely necessary.

Configuring

Accessing Canvas API's requires an institution to issue a Developer Key. Once issued, tools can begin using OAuth2 to request access tokens from individual users. The access token issued to access LTI advantage services will not work to access REST APIs.

Accessing Canvas Data also has its own authentication system that is discussed elsewhere.

Advantages

Limitations/Challenges

Other options include connecting directly to that same SIS that the client may be using, or leveraging Canvas Data to pull flat files for courses and enrollments.