LON-CAPA HelpLON-CAPA HelpLTI (Learning Tool Interoperability) Provider functionality can be used to enforce deep-link only access to specific LON-CAPA course folder(s) or resource(s), via External Tool launch in a different learning management system.
To support this the following can be set in a domain:
LTI employs a shared key and secret which the launcher (LTI Consumer) and the target (LTI Provider) will store locally. The key will be included in the (signed) payload included in a request created by the Consumer and sent to the Provider on launch. The Provider will use the key and secret to verify that the contents of the payload has not been tampered with in transit. As the payload can include the user's identity, which LON-CAPA can be configured to use to establish a session for that user, it is important that the secret for a particular LTI launch item remain private. To assist with that, LON-CAPA offers the option to encrypt a secret when storing it on a domain's library server.
Accordingly, an encryption key can be set on the primary library server in a LON-CAPA domain. That encryption key will be used to encrypt a shared secret when storing it, and to decrypt it when it needs to be used to verify payload integrity.
Link Protection
Link protection credentials can be configured at a domain level (by a Domain Coordinator), or at a course level (by a Course Coordinator), and the option is available to encrypt secret(s) at either or both of those levels.
Rules can be established for length and types of characters required in any secret assigned to a launch item.
Link Protectors configured in a domain are numbered incrementally (starting at 1).
For each Link Protector the following need to be specified:
The Launcher Name is used to identify an option shown in the "domain LTI launch" drop-down list when setting a value for the deeplink parameter in the Parameter Manager in a course. Its value can be changed without impacting the behavior of the link, as LON-CAPA internally stores the launcher item associated with a deep-link using the unique numeric identifier assigned to the launcher item when it was first created.
The LTI Version will be 1.1. It is expected that newer versions will also be supported in the future.
A short Nonce lifetime can inhibit use of replay methods to circumvent link protection provided by LTI. There should not be a need to set the value to other than the default of 300s.
The Key and Secret should be kept secure, and will be needed when configuring the "External Tool" item in the other system which is linking to LON-CAPA. Once a Secret has been saved for a particular launcher, LON-CAPA will not display it again, so it is recommended to make a note of it, so it can be used in the other system. To change an existing Secret check the "Yes" for "Change?" to make a textbox available for entering the new Secret. Note: the Key and Secret can only be submitted from a session on a domain's primary library server, so if your session is on a different LON-CAPA server, a link to switch server will be shown in place of the textboxes for those two items.
For each Link Protector there will also be a Yes/No option: Use identity?. If 'Yes' is selected then two (optional) settings can be specified:
Deciding what to select as the source of the username requires knowing what the other learning system sends in the LTI Request. Ideally, the other system will provide a preview feature for instructors to use to display items included in a launch request, and values set for them (for the previewer). In LON-CAPA, selecting "User ID" for the username source indicates the username will be whatever was assigned to the "lis_person_sourcedid" parameter, whereas selecting "Email address" means the username will be whatever was assigned to the "lis_person_contact_email_primary" parameter by the launch system. If neither of those are appropriate then "Other" can be selected, and the appropriate parameter name in the LTI Request can be entered in the textbox.
A username will only be accepted from the launch data for session creation in LON-CAPA if the corresponding user has already been assigned a student role, and no privileged role(s) in the target course in LON-CAPA. What will happen if that condition is not met can either be to stop the launch, or to display the LON-CAPA login page, and allow a user to authenticate. The second of those is the same behavior as seen if "No" had originally been selected for "Use identity?'.
Unlike LON-CAPA, other learning systems do not typically support multiple domains. As a result when creating a user session based on a username included in the launch payload, the implicit assumption is made that the user's domain in LON-CAPA is the same as the course's domain.
Although the 'Use identity?' option may be set to 'Yes' for a Link Protector item configured in a domain, whether or not the username included in launch data will be accepted in a particular course can be controlled on a course-by-course basis by a Domain Coordinator.
The "Course/Community defaults" item 
includes a Yes/No option for: "Student username in LTI launch of deep-linked URL can be accepted without re-authentication". A Domain Coordinator can use:
Main Menu > Set domain configuration > View or modify a course or community to select a course, and then use the "View/Modify re-authentication requirement for LTI launch of deep-linked item" link to override the domain default for a specific course.
In the case where usernames are not accepted from the launch payload, then each user will need to authenticate using the standard LON-CAPA username and password after the signed payload has been verified. After authentication the user's LON-CAPA session will still be recorded as having been launched from the deep-link target URL, as long as the access control setting for the deeplink parameter for the corresponding resource, or enclosing map/folder, is configured to support launch from the external system which provided the signed payload.
The endpoint LON-CAPA URL specified in the "External Tool" item in the other system will be composed of the following components: protocol or scheme (i.e., http or https), ://, hostname, /adm/launch, and the "tiny URL' path to the target resource or folder. If the LON-CAPA domain expects all access via a single server (i.e., a LON-CAPA load-balancer/portal node), then the hostname used should be the one assigned to the load-balancer.
As the key and secret used for launch items (either in a course or a domain) will be unavailable to LON-CAPA nodes belonging to a different LON-CAPA domain, if LTI link protection is to be used for deep-linked items, it is requirement that the endpoint URL include the hostname of a LON-CAPA server in the course's domain.
Following the hostname, the remainder of the URL will have the format:
/adm/launch/tiny/$domain/uniqueID
where /tiny/$domain/uniqueID is a shortened URL, unique to the particular folder or resource in the specific course.
Course Coordinators can generate shortened URLs for items in a course by using:
Course Editor > Content Utilities > "Display/Set Shortened URLs for Deep-linking"; see: Short URLs section