Allure Connect
Standards||11 min read

LTI 1.3 Integration Guide for Content Providers

Learning Tools Interoperability (LTI) is the standard that connects external tools and content to Learning Management Systems. If you are a content provider, training company, or platform like AllureConnect that hosts learning content, LTI is how you integrate deeply with your customers’ LMS platforms — launching content, passing grades, and syncing rosters without custom API work for each LMS.

LTI 1.3, released by IMS Global (now 1EdTech), is a major overhaul of the protocol. This guide covers everything you need to know to implement it.

Why LTI 1.3 Replaced LTI 1.1

LTI 1.1 used OAuth 1.0a for authentication — shared secrets, signature base strings, and HMAC-SHA1 signing. It worked, but it had significant security weaknesses:

  • Shared secrets were often transmitted insecurely during setup.
  • OAuth 1.0a signature validation was error-prone, leading to implementation bugs across LMS platforms.
  • There was no standard way to make service calls back to the LMS (for grade passback, roster sync, etc.) beyond basic outcomes.

LTI 1.3 replaces all of this with modern security standards:

  • OAuth 2.0 for service-to-service authentication.
  • JSON Web Tokens (JWTs) for message signing and verification.
  • Public/private key pairs instead of shared secrets. Keys are published via JWKS (JSON Web Key Set) endpoints.
  • OpenID Connect for the launch flow, providing a well-understood, battle-tested authentication pattern.

Key Concepts

Platform and Tool

In LTI terminology, the Platform is the LMS (Moodle, Canvas, Blackboard, etc.) and the Tool is the external application (AllureConnect, in this case). The Platform initiates launches, and the Tool receives them and serves content.

Deployment

A deployment represents a specific installation of a Tool within a Platform. One Tool can have multiple deployments across different Platform instances. Each deployment has its own configuration: client ID, deployment ID, and associated key pairs.

Message Types

LTI 1.3 defines several message types. The two most important are:

  • LtiResourceLinkRequest — the standard launch message. The Platform sends the learner to the Tool with context about who they are, what course they are in, and what resource they are launching.
  • LtiDeepLinkingRequest — used when an instructor wants to browse and select content from the Tool to embed in their course.

The LTI 1.3 Launch Flow

An LTI 1.3 launch follows the OpenID Connect third-party login flow:

  1. Platform initiates login: the Platform sends a POST or GET request to the Tool’s login_url with parameters including iss (issuer), login_hint, target_link_uri, and an optional lti_message_hint.
  2. Tool redirects to auth endpoint: the Tool validates the request, generates a state and nonce, and redirects the browser to the Platform’s authorization endpoint with an OpenID Connect authentication request.
  3. Platform returns ID token: the Platform authenticates the user, creates a signed JWT (the ID token) containing LTI claims (user identity, course context, resource link, roles), and POSTs it back to the Tool’s redirect_uri.
  4. Tool validates and launches: the Tool verifies the JWT signature using the Platform’s JWKS endpoint, checks the nonce and state, extracts the LTI claims, and serves the appropriate content.

Deep Linking

Deep Linking lets instructors browse a catalog of content from the Tool without leaving their LMS. When the Platform sends an LtiDeepLinkingRequest, the Tool presents a content picker UI. The instructor selects one or more resources, and the Tool returns LtiDeepLinkingResponse messages containing resource links that the Platform embeds in the course.

For AllureConnect, this means instructors can browse your hosted SCORM packages, select one, and have it appear as an activity in their LMS course — all without manually copying URLs or configuring launch parameters.

Assignment and Grade Services (AGS)

AGS is the LTI 1.3 service that replaces the old Basic Outcomes service. It allows the Tool to:

  • Create line items (grade columns) in the Platform’s gradebook.
  • Post scores for individual learners, including numeric grades, activity progress, and completion status.
  • Read existing scores to avoid overwriting manual grade adjustments.

When a learner completes a SCORM course in AllureConnect, the platform can automatically push the score back to the LMS gradebook via AGS. This closes the loop: content launches from the LMS, tracking happens in AllureConnect, and grades flow back to the LMS.

Step-by-Step Registration

To register AllureConnect as an LTI 1.3 tool in your LMS:

  1. Get AllureConnect’s platform configuration. From your AllureConnect dashboard, navigate to Settings → LTI Configuration. You will find:
    • JWKS URL (public key endpoint)
    • Authorization redirect URL
    • Login initiation URL
    • Client ID
    • Deep Linking URL
  2. Register in your LMS admin panel. In Canvas, go to Admin → Developer Keys → LTI Key. In Moodle, go to Site Administration → Plugins → External Tool → Manage Tools. In Blackboard, go to System Admin → LTI Tool Providers. Enter AllureConnect’s configuration values.
  3. Configure the deployment. After registration, the LMS provides a deployment ID and its own JWKS URL. Enter these back in AllureConnect’s LTI settings to complete the handshake.
  4. Test the launch. Create a test activity in your LMS that links to an AllureConnect package. Launch it as a student to verify the content loads, tracking works, and grades pass back correctly.

Names and Roles Provisioning Service (NRPS)

NRPS allows the Tool to request a list of users enrolled in a course from the Platform. This enables AllureConnect to:

  • Pre-populate learner records before content is launched.
  • Show instructors a roster view with completion status for each student.
  • Sync role information (student, instructor, TA) for access control.

NRPS is an optional LTI 1.3 service — not all Platforms support it. When available, it eliminates the need for manual CSV imports or SCIM provisioning.

Security Considerations

  • Always validate JWT signatures against the Platform’s JWKS endpoint. Never skip signature verification, even in development.
  • Check the nonce to prevent replay attacks. Store used nonces for at least the token’s lifetime.
  • Require HTTPS for all endpoints. LTI 1.3 transmits authentication tokens and personal data; unencrypted transport is unacceptable.
  • Validate the issuer and audience claims in every JWT. A token from one Platform must not be accepted for another.
  • Rotate keys periodically. Publish new keys in your JWKS endpoint before retiring old ones to avoid service disruption.

LTI 1.3 vs Content Dispatch: When to Use Which

AllureConnect supports both LTI 1.3 and content dispatch for distributing content to external LMS platforms. The choice depends on your integration depth:

ConsiderationLTI 1.3Content Dispatch
Setup complexityHigher (key exchange, registration)Lower (upload ZIP to LMS)
Grade passbackAutomatic via AGSVia SCORM runtime in LMS
Content selectionDeep Linking in LMSManual package management
Roster syncNRPS (if supported)Not available
Best forDeep LMS integration, grade syncLightweight distribution, many LMSs

For most content providers, starting with content dispatch and adding LTI 1.3 for key accounts that need grade passback is a practical approach.

Ready to try AllureConnect?

Start hosting SCORM content in minutes with a free sandbox account. No credit card required.

Start free View pricing

Related Articles

Standards

xAPI vs SCORM: Understanding Modern Learning Standards

Compare xAPI (Experience API) and SCORM side by side. Understand when to use each standard, how they differ architecturally, and what migration from SCORM to xAPI looks like in practice.

Read Standards

What is cmi5? The Next Generation of SCORM

Learn about cmi5, the modern learning standard that combines xAPI flexibility with LMS launch control. Understand how it differs from SCORM and when to adopt it.

Read
Back to all resources