[Building Sakai] External Tool Question
Charles Severance
csev at umich.edu
Fri Jan 9 14:22:15 PST 2015
I will add to what Sam said about the key.
I *hope* that you are not trusting the tool_consumer_instance_guid value without viewing it through the key.
The *only* thing that you should trust is the key and all should flow from that. You might for example create a key and know in your system that launches with that key are guaranteed to provide a trustable value of tool_consumer_instance_guid .
You might be OK trusting tool_consumer_instance_guid when you give a key to a multi-tennant instance of D2L or Canvas and use the TCIG to figure out which tenant you are dealing within that multi-tennant LMS.
But if you are looking at the TCIG as trusted and unspoofable information - you are opening yourself up to bad security holes - because that is trivial to spoof.
All of these values can be set by a Sakai admin in their sakai.properties - but they can set them to any value they like.
/Chuck
On Jan 6, 2015, at 9:31 PM, Michael Lee <michaell at newrow.com> wrote:
> Hi,
>
> Currently my company is working on creating a tool that is compatible with Sakai.
>
> My question is, how can I differentiate between different institutions?
>
> For instance, Canvas and Blackboard have a parameter calledtool_consumer_instance_guid which will differ based on institutions, but I am having no luck identifying what would be the best parameter to identify that.
>
> Any advice?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20150109/1c52f482/attachment.html
More information about the sakai-dev
mailing list