Overview
With the Kaltura LMS integration, user ID records are passed from the LMS to Kaltura in the LTI Launch. When using LTI 1.1 as the authentication method value (KAF>Hosted>authMethod=lti) for Kaltura, admins can use the Kaltura Application Framework (KAF) Hosted module's "ltiUserIdAttribute" field to set the value for which LTI attribute to use for the user ID value.
With LTI 1.3 the user ID attribute is in the form of a JWT claim key/value pair in a JSON object. In certain cases, the desired LTI attribute may be a nested claim instead of a simple string claim at the first level.
Kaltura has introduced two new fields to the KAF Hosted module that allow admins to set which claim key/value pair to use for the username value in KAF. The fields are exposed when "authMethod" is set to LTI 1.3 (KAF>Hosted>authMethod=lti1.3).
lti13UserIdClaim - The LTI Claim from which the user ID should be taken.
lti13UserIdClaimProperty - The property from the claim from which the user ID should be taken.
Which KAF Fields to Use
With LTI 1.1, the user ID value is controlled by the KAF>Hosted>ltiUserIdAttribute field.
With LTI 1.3, the user ID value is controlled by either using the KAF>Hosted>ltiUserIdAttribute field, or the lti13UserIdClaim / lti13UserIdClaimProperty fields.
IMPORTANT!
In order to use the lti13UserIDClaimProperty, the lti13UserIdClaim field must be populated. Make sure to read the Order of Operations section below.
Why Is This Important?
In Kaltura many data objects include a reference to user ID. These include:
- Entry owner
- Playlist owner
- Entry co-publishers
- Entry co-editors
- Entry co-viewers
- Entry cue points
- Category and channel owners
- Category members (includes channel subscribers)
- Groups members
- Analytics
- Comments
IMPORTANT! During the initial implementation of Kaltura, it is important that your organization determine which LTI attribute should be used for user ID. When upgrading from LTI 1.1 to LTI 1.3, it is very important to make sure that the attribute that has been used with LTI 1.1 is still available or contains the same value in LTI 1.3.
Determining the Correct LTI Attribute
The LTI specification uses user_id as the default attribute for the user ID value. However, in most cases this attribute does not contain a value that is in a format that is Kaltura admin or user friendly.
Kaltura has included in the KAF instance for each LMS type a default value for the ltiUserIdAttribute and the lti13UserIdClaim and lti13UserIdClaimProperty fields depending on the type of KAF and whether your KAF is configured to use LTI 1.1 or LTI 1.3. If the LTI attribute listed as the value in these fields is not creating user ID values that your organization has decided to use in Kaltura, they can be changed based on what is available in the LTI launch for the Kaltura external learning tools you have implemented with your LMS.
How to Determine Which Attributes Are Available and Which To Use
The LTI attributes that are available for you to use for the user ID value in Kaltura are contained in the LTI launch for each Kaltura tool.
Note: The following steps are for use with the Google Chrome browser when performing the steps in this section. Your steps may be different if a different browser is used.
New Kaltura LMS Integration
- Complete the integration of Kaltura with your LMS.
- Log into your LMS as a user enrolled in a course.
Do not use an account that uses the same user id as a Kaltura KMC (Kaltura Management Console) account. - Launch the Kaltura My Media tool.
If this is the first time that the user has launched a Kaltura tool a message will be displayed requesting you to accept authorization, and a user record will be automatically created in Kaltura. - Login to your KAF Admin Console by going to https://{your_KAF_URL}/admin.
- Click on the Manage Users tab located in the top black bar.
- In the User Management page, locate the user record that was created.
- Evaluate the User ID field to determine if it has the correct format.
- If YES, then you can use the default KAF settings.
- If No, then proceed to the section below on Inspecting the LTI Launch.
After Upgrading from LTI 1.1 to LTI 1.3
- Complete the LTI upgrade process.
- Log into your LMS as a user enrolled in a course.
Do not use an account that uses the same user id as a Kaltura KMC (Kaltura Management Console) account. - Login to your KAF Admin Console by going to https://{your_KAF_URL}/admin. If on logging in you receive a a message requesting you to accept authorization, that is an indicator that you have an issue with user ID matching.
- Click on the Manage Users tab located in the top black bar.
- Locate the user record for the user account you used in step 2.
- Delete the user record in KAF.
Deleting the user record in KAF will not have any effect on existing entries or data records in Kaltura. The LTI integration will automatically create a new user record the next time the user launches one of the Kaltura tools.
- In the User Management page, locate the user record you want to delete.
- Click on the Actions button.
- In the Actions menu, click on Remove from site.
- In the Delete User popup box, click on Yes.
- Launch the Kaltura My Media tool.
- Click on the Manage Users tab located in the top black bar.
- Locate the new user record that was created.
- Evaluate the User ID field to determine if it has the same format as it had with LTI 1.1.
- If YES, then you can use the default KAF settings.
- If No, then proceed to the section on Inspecting the LTI Launch
Order of Operations
Kaltura will first look to see if ltiUserIdAttribute has a value and if not configured or if the attribute that is set as the value is not found within the LTI launch, it checks if the other pair (lti13UserIdClaim/lti13UserIdClaimProperty) are configured and will attempt to use the attribute based on the values for these fields.
Rules for Configuring the lti13UserIdClaim and lti13UserIdClaimProperty
- To make sure Kaltura uses the lti13UserIdClaim and lti13UserIdClaimProperty the ltiUserIdAttribute value should be blank.
- When configuring the lti13UserIdClaim you need to use the full claim URL displayed in the LTI launch. ex. https://purl.imsglobal.org/spec/lti/claim/custom
- ltiUserIdClaim must have a valid value in order for lti13UserIdClaimProperty to be used.
- ltiUserIdClaimProperty should be the exact value as it appears in the JWT.
ex. custom_username
Inspecting the LTI 1.1 Launch
The following steps are for use with Google Chrome. Note, your browser inspect layout may be different than the images below.
- Log into your LMS as a user enrolled in a course.
Do not use an account that uses the same user id as a Kaltura KMC (Kaltura Management Console) account. - Launch the Kaltura My Media tool.
- Launch the browser developer tools also referred to as the browser inspect.
- In the browser inspect tool click on the Network tab.
- Click on the Clear button to clear the inspect window.
- In the browser inspect tool filter box enter my-media.
- Refresh the browser window where My Media is displayed. The inspect window should populate with information regarding the My Media launch
- In the browser inspect tool Name column click on my-media.
A frame will open with the launch information. - Click on the Payload tab to see all the attributes that are passed from the LMS during the launch.
- Scroll down to find the attribute that contains the user ID value you want to use.
Inspecting the LTI 1.3 Launch
The following steps are for use with Google Chrome.
Inspecting the LTI 1.3 launch will require using tools to decrypt oauth2-launch. There are two options.
Option 1:
- Log into your LMS as a user enrolled in a course.
Do not use an account that uses the same user id as a Kaltura KMC (Kaltura Management Console) account. - Launch the Kaltura My Media tool.
- Launch the browser developer tools also referred to as the browser inspect.
- In the browser inspect tool click on the Network tab.
- Click on the Clear button to clear the inspect window.
- In the browser inspect tool filter box enter oauth2.
- Refresh the My Media page displayed in the browser.
- In the browser inspect tool Name column click on oauth2.
A frame will open with the launch information. - Click on the Payload tab to display the encrypted Id token.
- Place your cursor in the Payload frame and right click your mouse.
- Click the Copy Value button that is displayed.
- In a separate browser tab go to https://jwt.io.
- On the jwt.io Debugger page clear the Encoder frame and paste in the id token payload that your copied in steps 9 and 10.
- The decrypted payload will be displayed in the right-hand frame.
- Scroll down to find the Claim and Property values you want to use.
Option 2:
In order to use this option, you will need to add the LTI Debugger extension to Google Chrome which is available on the Google Chrome Web Store.
- Log into your LMS as a user enrolled in a course.
Do not use an account that uses the same user id as a Kaltura KMC (Kaltura Management Console) account. - Launch the Kaltura My Media tool.
- Launch the browser developer tools also referred to as the browser inspect function.
- In the browser inspect tool click on the LTI Debugger tab.
- Click on the Clear button to clear the inspect window.
- Refresh the My Media page displayed in the browser.
- In the browser developer tool click on the green Launch button that is now displayed.
- A frame will open and the LTI Claims and Properties attributes are displayed under the Request section.
- Click on the arrow icon or the … to expand a Claim and view the properties.
- Scroll down to find the Claim and Property values you want to use.