Secure LTI 1.1 to LTI 1.3 Migration Results in Duplicate User Creation




 
Secure LTI 1.1 to LTI 1.3 Migration Results in Duplicate User Creation

Date Published: Jul 27,2024 Category: Planned_First_Fix_Release:Learn_9_1_3900_95_0_Release; Product:Blackboard_Learn_MH,Blackboard_Learn_SaaS,Blackboard_Learn_Software; Version:Learn_9_1_3900_84_0,Learn_9_1_3900_86_0,Learn_9_1_3900_89_0,Learn_9_1_3900_91_0,Learn_9_1_3900_93_0,Learn_9_1_3900_95_0,SaaS   Article No.: 000078686

Product: Learn SaaS

Release: 9.1;SaaS

Service Pack(s): 3900.84.0, 3900.86.0, 3900.89.0, 3900.91.0, 3900.93.0, 3900.95.0, SaaS

Description: The security fix for LTI 1.1 to LTI 1.3 conversion not only adds oauth_consumer_key_sign, but also a new user_id parameter that is passed to the 1p1 claim. The user_id is only meant to be passed if the sub from LTI 1.3 is different to the existing user_ids that were passed before in LTI 1.1. Learn is now passing the same user_id's for sub and user_id between LTI 1.1 and LTI 1.3. This results in duplicate user creation in the tool provider system.

Steps to Replicate:

  1. Check the LTI 1.3 launch of content that has been converted from LTI 1.1 from Blackboard LearnĀ 
  2. Observe that Learn is now passing a 'userId' claim in the new 1p1 claim that were not being passed previously.
  3. Observe that duplicate users are created in the tool provider system

 




Target Release: SaaS - Fixed (v3900.95.0-rel.36 or higher)