Skip to main content

Authenticating parents / caregivers with LTI Launch

  • Updated

Some of Intellischool's embeddable resources support parent/caregiver functionality. For example, the Analytics microapp enables parents / caregivers to visualise data about their child(ren). And the Parent Teacher Interviews microapp would be rather useless without being able to authenticate parents or caregivers!

All microapps that support parent / caregiver logins do so through the use of Learning Information Services roles (specifically referenced in LTI) and the role_scope_mentor claim in LtiResourceLinkRequest tokens.

 

Tip: If you haven't already, check out the Learning Tools Interoperability section of our API documentation to understand the framework.

 

Supported resources

The following resources support parent / caregiver logins:

  • Analytics
  • Course / Subject Selection
  • Forms
  • Launchpad
  • Parent-Teacher Interviews

 

Examples

1. IDaP already has an established relationship with one or more students

This example is the simplest to deal with, as the IDaP already has relationship data in place. This is usually the case when a tenant uses Albitros or Wylba as their primary SIS.

In addition to all the compulsory claims in your LTI Launch token, you will need to set the parent / caregiver's roles as follows:

{
  // Make sure you include all the compulsory claims
  "https://purl.imsglobal.org/lti/claim/roles": [
    "http://purl.imsglobal.org/vocab/lis/v2/institution/person#Other",
    "http://purl.imsglobal.org/vocab/lis/v2/membership#Mentor",
    "http://purl.imsglobal.org/vocab/lis/v2/membership/Mentor#ExternalMentor"
  ]
}

Let's break this down a little bit:

  • The person#Other role tells the IDaP that this person is known to the "institution" (i.e. tenant) but isn't a member of your typical roles like a staff member or student would be;
  • The membership#Mentor role tells the IDaP that this person has the right to view a given set of students' data; and
  • The Mentor#ExternalMentor context role tells the IDaP that this person is an "external mentor".

The combination of the three role specifications above implies that the person being authenticated is a parent or caregiver, and because the IDaP is already aware of the relationships between this person and any students, your token doesn't need to specify the role_scope_mentor claim.

 

2. IDaP is not aware of the relationship between parent / caregiver and student(s)

This example assumes that the IDaP is not aware of parent / caregiver to student relationships. If a tenant doesn't use Albitros or Wylba as their primary SIS, and they aren't using the Integration Hub to sync this data from another source, you must include the role_scope_mentor claim in your LTI Launch token.

As per the first example, you will need to include all the compulsory claims in your LTI Launch token, in addition to the roles and role_scope_mentor claims:

{
  // Make sure you include all the compulsory claims
  "https://purl.imsglobal.org/lti/claim/roles": [
    "http://purl.imsglobal.org/vocab/lis/v2/institution/person#Other",
    "http://purl.imsglobal.org/vocab/lis/v2/membership#Mentor",
    "http://purl.imsglobal.org/vocab/lis/v2/membership/Mentor#ExternalMentor"
  ],
  "https://purl.imsglobal.org/lti/claim/role_scope_mentor": [
    "AB123473",
    "bbca8f9a-de59-4fdb-9e07-3fabb88a35f2",
    "student@school.edu"
  ]
}

 

Student identifiers

Your token may specify students in the role_scope_mentor claim as (in order of preference):

  1. IDaP entity or student UUID (fastest);
  2. Student e-mail address; or
  3. External identifier as stored in the ext_id field of the entity object.

Where there is more than one student in the list, your token may supply the student identifiers in multiple different formats.

If a student cannot be identified using the identifier provided, or if there were multiple matches, that identifier will be ignored.

 

Using alternative student identifiers

If you need to use an alternative student identifier, you can configure a custom mapping in the LTI configuration for the platform using Albitros, Dextyr, Wylba or the Developer/Partner Portal.

This value must be stored in the IDaP in the identifiers field in the relevant entity object.

 

Troubleshooting

Check the common error codes

Our API documentation provides a list of common LTI error codes and guidance on how to fix the issue.

 

No students are shown after signing in

If the tenant is using Albitros SIS or Wylba SIS, make sure that the parent / caregiver is a member of a family entity, and that there are not any custodial records preventing them from accessing records online.

If you are supplying the student relationships in the role_scope_mentor claim, make sure that the identifiers can be resolved to an actual student. Identifiers must be one of the three types nominated in this documentation.

If you are using a custom identifier mapping, make sure it is configured correctly in the LTI configuration for the Platform that is generating the LTI Launch request, and that the identifier being used has been stored in the identifiers field in the associated entity object.

 

HTTP 403 "Forbidden" error after signing in

The most likely cause for this error is a misconfigured LTI role map override. Check that the tenant does not have any role overrides set in their LTI configuration that are preventing parent / caregiver roles from being mapped properly.

 

Comments

0 comments

Please sign in to leave a comment.