I am a beginner when it comes to Basic LTI and authentication.

I am trying to find out a little bit more about SAML2 and how to integrate with Basic LTI?

Hi Dorphan,

SAML 2.0 unifies the previous disparate federated identity building blocks of SAML 1.1 with input from both higher education's Shibboleth initiative and Liberty's Identity Federation Framework (Liberty ID-FF). Read more on this link http://www.xml.com/pub/a/2005/01/12/saml2.html

Hope it helps.

Security Assertion Markup Language 2.0 or SAML 2.0 is a version of the SAML OASIS standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (in most cases an end user) between an identity provider and a web service. SAML 2.0 enables web-based authentication and authorization scenarios including single sign-on (SSO).
Both IMS Learning Tools Interoperability and Security Assertion Markup Language (SAML) have been developing seemingly independently in the space of broad sharing of user identity across multiple organizations and applications. Both LTI and SAML can be seen as solving the problem of "federated identity". SAML is the generic technique for signing, transporting, and parsing security assertions that is embodied in products like Shibboleth, Microsoft Active Directory, and others.
The problems that IMS LTI and SAML solve are quite different. LTI establishes trust between a single application (i.e. the Learning Management System) and an external tool while SAML establishes a relationship between an organization (or federation) and an external tool using a Single-Sign-On (SSO). LTI transports information in each launch about a users identity within the LMS, course from which the launch is coming, the resource/activity id for the launch, and the user's particular role in the course, settings specific to the particular launch/activity in the course, and user information such as name and email. SAML provides a tool with a user's enterprise identity, enterprise role, and user information such as name or email. Even though LTI technically passes its data through the user's browser using OAuth 1.0, LTI architecturally is secure server to server communication in it's domain of trust.
Both LTI and SAML are very concerned about only releasing private information when appropriate. Both protocols insist on tools understanding that they may not always receive a user's name or email information on every launch. At times the tool may only receive the user_id (LTI) or the handle (SAML) and in particular, the tool should never use a person's email address as their internal key.
SAML is typically deployed in a top-down fashion where an organization converts to a SAML-based SSO at some point in time. It is often a long and drawn out process to convert an organization from an existing SSO to a SAML-based SSO. When an organization is setting up their arrangements with tool providers, there needs to be organization-to-organization interaction exchanging key and other information to properly establish the organization-to-tool relationship. Federations like InCommon reduce but do not eliminate this complexity.
LTI is designed to be deployed in a much more organic, bottom-up / mash-up approach where an organization upgrades their LMS to a version that supports LTI and they immediately have access to all of the LTI enabled tools anywhere on the web. LTI can be used broadly by the organization and enables Web 2.0 style mashups fully under instructor control. Hope this helps you and your understanding of SAML.

Thanks for the excellent response proppie. LTI and SAML are not replacements for one another because they accomplish different things. However there is a way that they can work together. IMS has met with InCommon and we have roughed out an approach where the two specs can work together without demanding a hard dependency between either spec.

Take a look at this SlideShare presentation:

http://www.slideshare.net/csev...-and-saml-draft


To my knowledge, no one has implemented what is described in the presentation - but it is a good way forward when there is a need to connect the two specs.

-Chuck

Another newbie here, I have applied proppie's response there and it works, the one described in the slide presentation is a bit difficult, I have referred it to my expert colleague and he has apprehensions, he would consider it though, I'd be back here for the updates if it works for him. Thanks.

-------------------------
Alex Hower

SAML2, which is an acronym for Security Assertion Markup Language 2.0, is standard for exchanging authentication and authorization data between security domains. For more information on this matter you can also refer to this link (http://en.wikipedia.org/wiki/SAML_2.0). As far as integration goes I really don't have a clue, but perhaps this link may assist you (http://www.dr-chuck.com/csev-b...perability-and-saml/). I hope this was beneficial in regards to solving your dilemma.

-------------------------
http://www.aqualigion.com