About
With the Kaltura LMS integration, user ID records are passed from the LMS to Kaltura through the LTI launch. For LTI 1.1 authentication (Hosted module > authMethod=lti), admins can use the ltiUserIdAttribute field in the Hosted module to specify which LTI attribute should serve as the user ID.
For LTI 1.3, the user ID attribute is structured as a JWT claim key/value pair in a JSON object. In some cases, the desired LTI attribute may be located within a nested claim rather than as a top-level string claim.
To address this, Kaltura introduced two fields in the Hosted module that allow admins to set the claim key/value pair for the username in KAF. The fields are exposed when authMethod is set to LTI 1.3 (Hosted module>authMethod=lti1.3).
lti13UserIdClaim - The LTI Claim from which the user ID should be taken.
lti13UserIdClaimProperty - The property from the claim from which the user ID should be taken.
Which KAF fields to use
With LTI 1.1, the user ID value is controlled by the Hosted module's ltiUserIdAttribute field.
With LTI 1.3, the user ID value is controlled by either using the Hosted module's ltiUserIdAttribute field, or the lti13UserIdClaim / lti13UserIdClaimProperty fields.
In order to use the lti13UserIDClaimProperty, the lti13UserIdClaim field must be populated. Make sure to read the Order of Operations section below.
Why correct user ID configuration matters
In Kaltura many data objects include a reference to user ID. These include:
- Entry owner
- Playlist owner
- Entry co-publishers
- Entry co-editors
- Entry co-viewers
- Entry cue points
- Category and channel owners
- Category members (includes channel subscribers)
- Groups members
- Analytics
- Comments
During the initial implementation of Kaltura, it is important to determine which LTI attribute to use as the user ID. When upgrading from LTI 1.1 to LTI 1.3, ensure that the chosen attribute remains available or retains the same value in LTI 1.3.
Determining the correct LTI attribute for user ID
The LTI specification typically uses user_id as the default attribute for user ID, though this may not always be user-friendly. Kaltura provides default values for ltiUserIdAttribute, lti13UserIdClaim, and lti13UserIdClaimProperty fields based on the LMS type and configured LTI version.
If these default values don’t align with your preferred format, adjust them to any available attribute in the LTI launch data.
How to determine which attributes are available and which to use
The LTI launch for each Kaltura tool contains the available LTI attributes that can be used as the user ID value in Kaltura.
The following steps are intended for use with Google Chrome. If you're using a different browser, the steps may vary.
New Kaltura LMS integration
- Complete the integration of Kaltura with your LMS.
- Log into your LMS as a user enrolled in a course.
Do not use an account that uses the same user id as a Kaltura KMC (Kaltura Management Console) account.
- Launch the Kaltura My Media tool.
If this is the first time the user has launched a Kaltura tool, a message will display requesting you to accept authorization, and a user record will be automatically created in Kaltura. - Log into your Configuration Management console by going to https://{your_KAF_URL}/admin.
- Click on the Manage Users tab in the top black bar.
- In the User Management page, locate the user record that was created.
- Evaluate the User ID field to determine if it has the correct format.
- If Yes, then you can use the default KAF settings.
- If No, then proceed to the section below on Inspecting the LTI Launch.
After upgrading from LTI 1.1 to LTI 1.3
- Complete the LTI upgrade process.
- Log into your LMS as a user enrolled in a course.
Do not use an account that uses the same user id as a Kaltura KMC (Kaltura Management Console) account. - Login to your KAF Admin Console by going to https://{your_KAF_URL}/admin. If on logging in you receive a a message requesting you to accept authorization, that is an indicator that you have an issue with user ID matching.
- Click on the Manage Users tab located in the top black bar.
- Locate the user record for the user account you used in step 2.
- Delete the user record in KAF.
- In the User Management page, locate the user record you want to delete.
- Click on the Actions button.
- In the Actions menu, click on Remove from site.
- In the Delete User popup box, click on Yes.
- Launch the Kaltura My Media tool.
- Click on the Manage Users tab located in the top black bar.
- Locate the new user record that was created.
- Evaluate the User ID field to determine if it has the same format as it had with LTI 1.1.
- If YES, then you can use the default KAF settings.
- If No, then proceed to the section on Inspecting the LTI Launch.
Deleting the user record in KAF will not have any effect on existing entries or data records in Kaltura. The LTI integration will automatically create a new user record the next time the user launches one of the Kaltura tools.
Order of operations
Kaltura first checks if ltiUserIdAttribute has a configured value. If not set, or if the specified attribute is missing in the LTI launch, Kaltura then looks for configurations in the lti13UserIdClaim and lti13UserIdClaimProperty fields and attempts to use the attribute based on these values.
Rules for configuring the lti13UserIdClaim and lti13UserIdClaimProperty
- To make sure Kaltura uses the lti13UserIdClaim and lti13UserIdClaimProperty, the ltiUserIdAttribute value should be blank.
- When configuring the lti13UserIdClaim, you need to use the full claim URL displayed in the LTI launch, for example, https://purl.imsglobal.org/spec/lti/claim/custom
- ltiUserIdClaim must have a valid value in order for lti13UserIdClaimProperty to be used.
- ltiUserIdClaimProperty should be the exact value as it appears in the JWT, for example, custom_username
Inspecting the LTI 1.1 Launch
The following steps are for use with Google Chrome.
Your browser inspect layout may be different than the images below.
- Log into your LMS as a user enrolled in a course.
- Launch the Kaltura My Media tool.
- Launch the browser developer tools also referred to as the browser inspect.
- In the browser inspect tool click on the Network tab.
- Click on the clear icon to clear the inspect window.
- In the browser inspect tool filter box, enter my-media.
- Refresh the browser window where My Media is displayed. The inspect window should populate with information regarding the My Media launch
- In the browser inspect tool Name column click on my-media. A frame will open with the launch information.
- Click on the Payload tab to see all the attributes that are passed from the LMS during the launch.
- Scroll down to find the attribute that contains the user ID value you want to use.
Do not use an account that uses the same user id as a Kaltura KMC (Kaltura Management Console) account.
Inspecting the LTI 1.3 launch
The following steps are for use with Google Chrome.
Inspecting the LTI 1.3 launch will require using tools to decrypt oauth2-launch. There are two options:
Option 1
- Log into your LMS as a user enrolled in a course.
Do not use an account that uses the same user id as a Kaltura KMC (Kaltura Management Console) account.
- Launch the Kaltura My Media tool.
- Launch the browser developer tools also referred to as the browser inspect.
- In the browser inspect tool click on the Network tab.
- Click on the clear icon to clear the inspect window.
- In the browser inspect tool filter box, enter oauth2.
- Refresh the My Media page displayed in the browser.
- In the browser inspect tool name column, click on oauth2. A frame will open with the launch information.
- Click on the Payload tab to display the encrypted Id token.
- Place your cursor in the Payload frame and right click your mouse.
- Click the Copy Value button that is displayed.
- In a separate browser tab go to https://jwt.io.
- On the jwt.io Debugger page, clear the Encoder frame, then paste in the ID token payload you copied in steps 9 and 10.
- The decrypted payload will be displayed in the right-hand frame.
- Scroll down to find the Claim and Property values you want to use.
Option 2
In order to use this option, you will need to add the LTI Debugger extension to Google Chrome which is available on the Google Chrome Web Store.
- Log into your LMS as a user enrolled in a course.
Do not use an account that uses the same user id as a Kaltura KMC (Kaltura Management Console) account. - Launch the Kaltura My Media tool.
- Launch the browser developer tools also referred to as the browser inspect function.
- In the browser inspect tool click on the LTI Debugger tab.
- Click on the clear icon to clear the inspect window.
- Refresh the My Media page displayed in the browser.
- In the browser developer tool click on the green Launch button that is now displayed.
- A frame will open and the LTI Claims and Properties attributes are displayed under the Request section.
- Click on the arrow icon or the … to expand a Claim and view the properties.
- Scroll down to find the Claim and Property values you want to use.