Date Published: Jul 27,2024 Category: Planned_First_Fix_Release:Learn_9_1_3900_95_0_Release; Product:Blackboard_Learn_MH,Blackboard_Learn_SaaS,Blackboard_Learn_Software; Version:Learn_9_1_3900_84_0,Learn_9_1_3900_86_0,Learn_9_1_3900_89_0,Learn_9_1_3900_91_0,Learn_9_1_3900_93_0,Learn_9_1_3900_95_0,SaaS Article No.: 000078686
Product: Learn SaaS
Release: 9.1;SaaS
Service Pack(s): 3900.84.0, 3900.86.0, 3900.89.0, 3900.91.0, 3900.93.0, 3900.95.0, SaaS
Description: The security fix for LTI 1.1 to LTI 1.3 conversion not only adds oauth_consumer_key_sign, but also a new user_id parameter that is passed to the 1p1 claim. The user_id is only meant to be passed if the sub from LTI 1.3 is different to the existing user_ids that were passed before in LTI 1.1. Learn is now passing the same user_id's for sub and user_id between LTI 1.1 and LTI 1.3. This results in duplicate user creation in the tool provider system.
Steps to Replicate:
- Check the LTI 1.3 launch of content that has been converted from LTI 1.1 from Blackboard LearnĀ
- Observe that Learn is now passing a 'userId' claim in the new 1p1 claim that were not being passed previously.
- Observe that duplicate users are created in the tool provider system
Target Release: SaaS - Fixed (v3900.95.0-rel.36 or higher)