LTI 1.3 Verification of LMS

josh_martin · ‎05-16-2024

As part of the LTI launch process, our app needs to make a request back to the issuer at an endpoint that is different for each LMS.

We currently do this based on the issuer, a.k.a the URL of the of the LMS instance. Because all LTI 1.3 launches go to the same endpoint in our app, and the limited information provided in that initial request, we have been largely dependent upon that issuer URL. While it generally includes the name of the platform or some other indicator of which it is, that is not guaranteed, and we’ve seen instances where the URL doesn’t include the LMS name at all - so we need a more reliable method.

We still want to keep new deployments as “hands free” as possible, so that in the future any customer could still add our app integration with minimal or no support involvement.

What is the recommended way that we can verify the identity of the app coming from Schoology? We are interested in using the client id and deployment id. Is the client id consistent once we publish our app to the public? It seems like the deployment id will change with each install, is this true?

Thanks for your help!

SchoolMessenger CMA

SchoolMessenger K-12 Social

SchoolMessenger PermissionClick

More Products

Distance and Remote Learning

Enrollment Express Family

Enrollment Family

Headed2 Family

PowerSchool Mobile Family

Unified Classroom Behavior Support Family

Unified Talent Applicant Support

All Events

PowerSchool Ideas Portal

Customer Education

Technical Solutions Group

What's New in Customer Ed

PowerSchool Mentors

PowerSchool Champions

Welcome and Getting Started

Announcements: What's New

Community Forum

PeopleAdmin Applicant Support

PeopleAdmin News