[Building Sakai] External Tool Question

[Charles Severance]

I will add to what Sam said about the key.

I *hope* that you are not trusting the tool_consumer_instance_guid value without viewing it through the key.

The *only* thing that you should trust is the key and all should flow from that.  You might for example create a key and know in your system that launches with that key are guaranteed to provide a trustable value of tool_consumer_instance_guid .

You might be OK trusting tool_consumer_instance_guid when you give a key to a multi-tennant instance of D2L or Canvas and use the TCIG to figure out which tenant you are dealing within that multi-tennant LMS.

But if you are looking at the TCIG as trusted and unspoofable information - you are opening yourself up to bad security holes - because that is trivial to spoof.

All of these values can be set by a Sakai admin in their sakai.properties - but they can set them to any value they like.  

/Chuck

On Jan 6, 2015, at 9:31 PM, Michael Lee <michaell at newrow.com> wrote:

> Hi,
> 
> Currently my company is working on creating a tool that is compatible with Sakai.
> 
> My question is, how can I differentiate between different institutions?
> 
> For instance, Canvas and Blackboard have a parameter calledtool_consumer_instance_guid which will differ based on institutions, but I am having no luck identifying what would be the best parameter to identify that.
> 
> Any advice?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20150109/1c52f482/attachment.html