Introduction

The main thing with LTI™ is the identity assertion. LTI is a way for one system (the tool consumer, typically an LMS) to send a user to another system (the tool provider, some service that integrates with the LMS) in a trusted way. The most common reason for the trust assertion is to allow the user to be automatically signed in and directed to a specific course or module when the provider renders content.

Tool Consumer
  1. Gather user and context data
  2. Look up shared secret
  1. Send data via POST request signed with shared secret.
Tool Provider
  1. Confirm signature is valid

The consumer and provider have a predefined relationship via a consumer key and shared secret which are used to sign any messages passed between systems. All messages are signed with an OAuth signature that can be verified by either party. Generally information only travels one way, from the consumer to the provider.

The identity assertion happens through an HTTP POST request from the consumer to the provider. The POST request must happen in the user's browser, which means it needs to be launched by submitting a form. Generally the form is submitted via JavaScript to an iframe rendered on a page within the consumer, so the user does not have an extra step when trying to launch an app.

Here is a list of parameters that can be sent as part of the POST request. Some are required, some are optional. Most apps should not need more than the first set of parameters and most likely will ignore the rest.