Security Update and Deprecation Schedule for Early Versions of LTI
UPDATED JUNE 2021
After June 30, 2021, 1EdTech will no longer certify or recertify legacy versions of LTI and will no longer support legacy LTI implementations.
All support for LTI versions 1.0, 1.1, 1.1.1, 1.1.2, 1.2, and 2.0 will end on June 30, 2022.
All institutions and suppliers should adopt LTI 1.3 and LTI Advantage for teaching and learning integration to receive its many benefits.
In collaboration with 1EdTech members, the 1EdTech Security Framework was published in May 2019. The Security Framework is based upon the OAuth 2.0 and OpenID Connect specifications. This framework adopts state-of-the-art security techniques and best practices and includes protection against known potential issues such as Cross-Site Request Forgery (CSRF). A number of 1EdTech specifications have already aligned to the Security Framework, in particular, 1EdTech Learning Tools Interoperability® (LTI) 1.3 and LTI Advantage.
In keeping with its commitment to data privacy and security, in February 2018, 1EdTech announced the timeline for the deprecation of the use of SHA-1 with OAuth 1.0a such that no certifications using that approach will be available after 31 December 2019. That announcement had implications for certifications to the LTI 1.0 and 1.1 specifications.
Now, with the publication and adoption of the 1EdTech Security Framework, 1EdTech formally deprecates the use of OAuth 1.0a across all 1EdTech specifications. Therefore, certification to the LTI 1.0, 1.1, 1.2, and 2.0 specifications and related services are being deprecated. See the LTI Support and Deprecation Schedule below.
1EdTech is very pleased that its new Security Framework and the latest LTI Core version 1.3 (a key part of LTI Advantage) based on OAuth 2, JSON web tokens and the Open ID Connect workflow, make LTI Advantage the most secure integration option available.
Retrofitting a Security Update in Early LTI Versions
Transitioning to LTI 1.3 is strongly encouraged, but for organizations that decide not to upgrade LTI versions, 1EdTech is providing a security update for selected legacy versions of LTI. These updated specifications, along with implementation guidance and 1EdTech certification, are designated as 1.0.1 and 1.1.2 and are planned to be available for certification through mid-year 2022. After that time, LTI 1.3 and its successor will be the minimum versions eligible for 1EdTech certification. The LTI Security Update patch document for LTI versions 1.0.1 and 1.1.2 is now available.
The OpenID Connect workflow in LTI Advantage is a step-increase in security protection and involves a substantial change to the trust orchestration between a platform and a tool. Implementers should choose to upgrade to LTI 1.3 and LTI Advantage in concert with these security upgrades because of the many additional feature benefits it provides. LTI 1.3 and the LTI Advantage services are the best options for roadmap planners.
Leading platform and tools suppliers are already LTI Advantage certified or near completion of their certification. Their ability to move forward rapidly was made possible by a fully-functional LTI Advantage Reference Implementation made available to 1EdTech members and the public for use as a design and coding model and a live testing proxy. 1EdTech recommends product suppliers adopt LTI 1.3 and LTI Advantage to achieve their features and security benefits.
1EdTech and its members are committed to the highest levels of privacy, security, and transparency in data handling. Risks cannot be avoided entirely but substantially mitigated through the exercise of due diligence, which includes keeping your learning products up to date with the latest and most secure versions of LTI. 1EdTech staff are poised to help members enhance their security and upgrade to the current versions of LTI. If you are interested in learning more, have questions, or need guidance, we suggest you join a future LTI Roundtable discussion held on the fourth Tuesday of every month. You will find meeting details in the 1EdTech events calendar.
LTI Support and Deprecation Schedule
|LTI Version||Date of the Last New Certification||Date of the Last Recertification||Certification Valid Through*||
|1.0.1||Basic Launch with Updated Security||6/30/2020||06/30/2021||06/30/2022|
|1.1||Basic Outcomes||12/31/2019||06/30/2021||06/30/2022||Deprecated, and related services**|
|1.1.1||Minor update to roles||12/31/2019||12/31/2019||12/31/2020||Deprecated|
|1.1.2||Basic Outcomes with Updated Security||06/30/2020||06/30/2021||06/30/2022|
|1.2||Tool Consumer Profile||12/31/2019||06/30/2021||06/30/2022||Deprecated|
|1.3||LTI Advantage Core (currently LTI 1.3)||Ongoing||Ongoing||Ongoing||Recommended LTI Version|
|2.0||Tool Consumer, Proxy and Auto-Registration||12/31/2019||06/30/2021||06/30/2022||Deprecated|
|*||Certifications and recertifications have a minimum 12-month validity period and therefore may be active and valid for up to 12 months after certification.|
Associated LTI services also to be deprecated: Deep Linking 1.0, Names and Role Provisioning Service 1.0, and Basic Outcomes 1.0.
If you have any questions related to this announcement, please contact 1EdTech at firstname.lastname@example.org.