UsingWW: Ubuntu 24.04 + WW 2.19 + Apache + Canvas LTI 1.3 + Shibboleth Issues

I'm working on building an updated WW server and have run into a couple of issues.

1) Course Selection within Canvas is not showing the Context ID (See photo 1a below)

I don't see anything that is obviously wrong, and while debug_lti_parameters is enabled, there are no relevant logs in webworks2.log

At this point, I have not been able to map the LTI parameters, so I'm not sure if that is related.

2) Shibboleth Auth is successfully working within Apache and the provider, but WW is not thinking it is signed in.

I believe this issue is within the Apache RequestHeader set field and the user_id mapping, but I'm having difficulty diagnosing where the disconnect is.

If I have my Shibboleth attribute ID set to "userprincipalname" and my $shibboleth{mapping}{user_id} set to "upn". How does my Apache config need to look?

Any help would be appreciated!

Re: Ubuntu 24.04 + WW 2.19 + Apache + Canvas LTI 1.3 + Shibboleth Issues

by Danny Glin - Friday, 30 May 2025, 12:51 PM

By default each external authentication module that you enable is set to be the only one that is active, so if you want both LTI and Shibboleth authentication you will need to tell WeBWorK that both should be checked.

In localOverrides.conf you will need to add the following somewhere after the LTI and Shibboleth authentication sections:

$authen{user_module} = [

'WeBWorK::Authen::LTIAdvantage',

'WeBWorK::Authen::Shibboleth',

'WeBWorK::Authen::Basic_TheLastOption'

];

At the very least this should get you some debug information about LTI in the logs.

I don't know much about Shibboleth authentication in WeBWorK, but reading the documentation in the config file it says that you should replace every instance of "uid" in the apache config block with whatever you set $shibboleth{mapping}{user_id} to, so in your case that would be "upn". Also, if I understand Shibboleth authentication correctly you will need to use lazy Shibboleth authentication in order to allow LTI to connect directly to WeBWorK before falling back to Shibboleth.

Re: Ubuntu 24.04 + WW 2.19 + Apache + Canvas LTI 1.3 + Shibboleth Issues

by Spencer Felsted - Friday, 30 May 2025, 4:20 PM

I already have the $authen{user_module} set as you specified in localOverrides.conf.

I have also tried both of these modules individually (by commenting out 'WeBWorK::Authen::*' in '$authen{user_module}' and 'include("conf/authen_*.conf");' in localoverrides.conf)

Alas, still no LTI logs.

I originally had everything set to eppn and had the Shibboleth, Apache, and Webwork configs set accordingly, including replacing all the uid instances, but it wasn't working. So I have now set the names to what we would prefer them to be, and am asking for assistance with how it should be set.

I already have it set to lazy auth as well, so that it should work with the LTI.

2.5)

Sidenote: When I go to a course login, I have not been able to get it to try external auth when I have external_auth=0, it just goes directly to the internal auth page.

Instead, I have been manually going to https://webwork.yourschool.edu/Shibboleth.sso/Login and then also to the variant with the return to variable in order to test. Not sure if this is related or not.

Thank you for your input. I feel like I've been pretty thorough reading through the docs and confs, but here I am.

Re: Ubuntu 24.04 + WW 2.19 + Apache + Canvas LTI 1.3 + Shibboleth Issues

by Danny Glin - Tuesday, 3 June 2025, 11:37 AM

Based on what you're describing it doesn't sound like either of the external authentication modules (LTI or Shibboleth) are being invoked. One thing to try is putting the '$authen{user_module}' variable in the course.conf file for a single course. That is loaded after all of the site-wide config files, so if that variable is being overwritten somewhere else in the config this should take precedence.

On the LTI side, I just want to confirm that you are creating an LTI link in Canvas and not just a regular HTML link. If that is the case then you should see some LTI-related stuff in the logs.

Re: Ubuntu 24.04 + WW 2.19 + Apache + Canvas LTI 1.3 + Shibboleth Issues

by Spencer Felsted - Tuesday, 3 June 2025, 3:36 PM

Okay, after some further testing, it is sending me to Shibboleth on all course login attempts without any changes. I believe I forgot to clear my SSO token before I started testing last time, and didn't see the quick redirect. I have not been able to see it send to LTI for auth, but I'm not sure how exactly that should look. Sorry for the misdirection this caused.

Correct, it is an LTI link within Canvas, but no LTI logs. It is set up with a Developer Key in Canvas that has the Course Selection and Assignment Selection components assigned and configured as described in the LTI 1.3 doc. I am not the Canvas Admin, but I have gotten assurances from them that the Canvas side is set up correctly.

Re: Ubuntu 24.04 + WW 2.19 + Apache + Canvas LTI 1.3 + Shibboleth Issues

by Spencer Felsted - Thursday, 12 June 2025, 2:26 PM

Following up to clarify that both auth methods are still not working.

1) The authenticated SSO user is not being handed back to Webwork.

2) LTI 1.3 is enabled and configured with debug enabled, yet no logs related to the LTI are present.

Re: Ubuntu 24.04 + WW 2.19 + Apache + Canvas LTI 1.3 + Shibboleth Issues

by Danny Glin - Wednesday, 18 June 2025, 2:28 PM

At least for LTI authentication it sounds like there is not actually an LTI request making it through. This means that most likely either Canvas is not sending an LTI request, or WeBWorK is not configured to receive it.

Have you tried manually creating an LTI link to a WeBWorK course in Canvas rather than using the content selection tool? If this still doesn't work, then I'd say try what I previously suggested with enabling LTI authentication for a single course.

Re: Ubuntu 24.04 + WW 2.19 + Apache + Canvas LTI 1.3 + Shibboleth Issues

by Spencer Felsted - Thursday, 19 June 2025, 8:05 PM

I had not tried manual yet, but here is my current test with no results:

- Manually created links with both of these formats:
-> https://webwork.yourschool.edu/webwork2/coursename
-> https://webwork.yourschool.edu/webwork2/coursename/assignmentname
- $authen{user_module} in localOverrides as the last variable set (after the includes for the authen_ configs)
- $authen{user_module} also copied to the end of a course config in my test course

When using manually created links for my test course, it opens WebWork (https://webwork.utahtech.edu/webwork2/ltiadvantage/login) and shows the internal sign-in page with no additional entries in the log.