Architectural Article: LTI 1.3 Integration within Adobe Learning Manager (ALM)

Executive Summary

Learning Tools Interoperability (LTI) 1.3 enables secure, standards-based integration between Adobe Learning Manager (ALM) and external Learning Management Systems (LMS).
This whitepaper provides an architectural deep dive into how ALM operates as both an LTI Tool Provider and an LTI Consumer, explaining authentication flows, security models,
data exchange, user provisioning, grade synchronization, and enterprise deployment patterns.

The goal is to provide enterprise architects, LMS administrators, and integration engineers with a clear blueprint for designing scalable, secure, multi-LMS ecosystems.


1. Architectural Overview of LTI 1.3

LTI 1.3 is built on modern security standards:

• OAuth 2.0 – Authorization framework
• OpenID Connect (OIDC) – Identity layer
• JSON Web Tokens (JWT) – Secure message format
• JSON Web Key Sets (JWKS) – Public key validation

In an LTI integration, two primary roles exist:

1. Platform (Consumer) – The system initiating the launch.
2. Tool (Provider) – The system hosting the content being launched.

ALM can function in both roles depending on the use case.

High-Level Flow:

1. User clicks course/module in Platform LMS.
2. Platform initiates OIDC login request.
3. Tool validates request.
4. Platform sends signed ID Token (JWT).
5. Tool validates signature using JWKS.
6. Tool provisions user (if necessary).
7. Course launches.
8. Grades optionally return via LTI Advantage (AGS).


2. ALM as LTI Tool Provider (External LMS Launching ALM Content)

Use Case:
An enterprise wants Canvas, Moodle, or Blackboard users to access ALM-hosted courses.

Key Configuration Elements:

Issuer (iss):
Identifies the external LMS tenant uniquely.

Client ID:
Issued by ALM to the LMS during registration. Identifies the LMS platform.

Deployment ID:
Represents a specific integration instance. Allows multiple LMS deployments.

OIDC Login URL:
Entry point for authentication initiation.

Redirect/Launch URL:
Endpoint where ALM receives the signed ID Token.

JWKS URL:
Public key endpoint that LMS uses to validate ALM tokens and vice versa.

Security Validation Sequence:

• Validate iss claim matches registered platform.
• Validate aud (audience) equals ALM Client ID.
• Validate exp (expiry).
• Validate nonce (anti-replay).
• Validate signature using LMS public key.

User Provisioning Logic:

If the ID Token contains a sub (subject) not found in ALM:
• ALM creates a new user.
• Email, name, and roles are mapped.
• User is auto-enrolled if configured.

Role Mapping:

LTI Roles → ALM Roles:
• Learner → Learner
• Instructor → Instructor
• Administrator → Custom mapping

Grade Return (Assignment and Grade Services – AGS):

During registration:
• LMS shares Line Item endpoint.
• LMS shares Access Token endpoint.

After assessment completion:
• ALM requests access token.
• ALM POSTs score to LMS endpoint.
• LMS updates gradebook.


3. ALM as LTI Consumer (Embedding External LMS Content)

Use Case:
ALM authors want to embed third-party LMS courses as modules inside ALM.

Required Provider Information:

• Launch URL
• OIDC Login Endpoint
• JWKS URL
• Client ID
• Deployment ID

Launch Sequence:

1. Learner clicks LTI module in ALM.
2. ALM redirects to OIDC Login Endpoint.
3. Provider returns ID Token.
4. ALM validates token.
5. Provider content renders inside ALM player.

Data Exchange in Token:

Standard Claims:
• iss – Provider identifier
• sub – User identifier
• aud – Intended recipient
• exp – Expiration

LTI Claims:
• https://purl.imsglobal.org/spec/lti/claim/roles
• https://purl.imsglobal.org/spec/lti/claim/context
• https://purl.imsglobal.org/spec/lti/claim/resource_link

User Auto-Provisioning in Provider:

If user does not exist:
• Provider creates account using email/sub claim.
• Assigns default role.

Grade Synchronization:

Provider invokes ALM AGS endpoint.
ALM validates access token.
Score is written into learner transcript.


4. Data Governance and Compliance

Minimum Necessary Data Principle:

Only required attributes shared:
• Unique identifier
• Name
• Email
• Role

Compliance Standards:
• GDPR – Data minimization
• FERPA – Education privacy
• SOC2 – Secure key handling

Key Rotation Strategy:

• Annual public/private key rotation recommended.
• Maintain overlapping key validity during transition.


5. Multi-LMS Enterprise Architecture Pattern

Large enterprises often deploy:

• ALM (Corporate training)
• Canvas (Academic programs)
• Moodle (Legacy courses)
• Brightspace (Partner ecosystem)

Architectural Best Practices:

• Separate Deployment IDs per LMS.
• Maintain environment isolation (Dev, Stage, Prod).
• Document all Issuer and Client ID mappings.
• Centralized monitoring for launch failures.
• Enable detailed logging of JWT validation errors.


6. Failure Handling and Observability

Common Failure Points:

• Invalid signature
• Audience mismatch
• Expired token
• Incorrect JWKS URL
• Role mismatch

Recommended Monitoring:

• Log token validation failures.
• Alert on repeated failed launches.
• Track grade POST failures.
• Validate clock synchronization across systems.


7. Security Hardening Recommendations

• Enforce HTTPS endpoints.
• Restrict redirect URIs.
• Validate nonce values.
• Limit token lifespan.
• Disable unused services (Deep Linking, NRPS) if not required.


8. Strategic Benefits of LTI 1.3 with ALM

• No duplicated content hosting.
• No manual user account creation.
• Real-time grade synchronization.
• Federated identity without password sharing.
• Centralized compliance reporting.
• Modular learning architecture.


Conclusion

LTI 1.3 transforms Adobe Learning Manager into a federated learning node within a broader digital learning ecosystem.
By leveraging OAuth 2.0, OIDC, JWT, and secure key exchange, organizations can enable seamless cross-platform content sharing
while maintaining strict identity validation and grade integrity.

When properly architected with separate deployment IDs, key rotation policies, and monitoring controls,
ALM-based LTI integrations can scale across global enterprises securely and efficiently.