Connecting Tsugi and Sakai with LTI Advantage

This is a suppliment to the Tsugi LTI Advantage documentation available at

Sakai expects to mint the tool private keys as of Sakai-19.0. But you can also create the integration in Sakai and then override the Sakai-chosen tool keys by editing the entry after it is created. There are plans to add support for the tool keyset in a later release of Sakai 19.x.

The workflow between Sakai and Tsugi is quite easy if you can be in the admin UI of both tools at the same time. This can either happen if both systems are administered by the same person or they can work together exchanging values over Slack or email.

Tsugi has a self-service mechanism to request and approve LTI 1.1 keys but does not yet have a self service mechanism to request LTI Advantage keys so you need to create an Issuer.

You can work through this example using the Sakai and Tsugi nightly servers. They are nice to experiment with because they reset every night :)  ( admin / admin ) (tsugi)

Basic Tool Configuration

In Sakai go to Adminstration Workspace, External Tools.

If you are editing an existing LTI 1.1 tool, you can edit the tool, leave the URL, key, and secret alone, turn on LTI 1.3, and skip to the LTI Advantage Security Setup below.

If you are making a new tool, you can either connect a single tool endpoint in Tsugi or you can add Tsugi as a Learning App (Content Item or Deep Linking). The process is the same except for a different URL and few checkboxes at the bottom of the add LTI tool screen.

For a single tool, simply check

When intalling Tsugi as an App Store under Learning Apps, check

Continue with the LTI Advantage steps below.

LTI Advantage Security Setup

For the process of exchanging LTI Advantage configuration information, it is easiest to have Sakai open in one browser tab and Tsugi open in another browser tab.

First go into the Tsugi Administrator UI and select 'Manage Keys'.

If the issuer entry for the Sakai server is already present in Tsugi, simply view it and copy all the relevant values into the Sakai tool entry. The issuer for Sakai is generally the URL of the Sakai server like - with no trailing slash.

If no issuer exists in Tsugi, start the Add an Issuer process. On the Add Issuer screen you can see the OIDC Connect and OIDC Redirect endpoints before you save the Issuer.
Copy these to Sakai and save the Sakai LTI tool.

Then view the Tool in Sakai. Copy these values to the Tsugi Add Issuer screen:

Leave the tool public and private keys blank in Tsugi and leave the LTI 1.3 Platform OAuth2 Bearer Token Audience Value blank as well.

Then save the issuer in Tsugi.

Then view the issuer in Tsugi and find the Tool public key. Edit the tool entry in Sakai and overwrite the Tool Public Key. After you copy the Tool Public Key from Tsugi to Sakai, you should delete/empty the Tool Private Key in the Sakai tool entry. Sakai has no need for the Tool's private key and it is bad security practice for Sakai to posess the Tool's private key and the private key that was generated by Sakai is no longer even relevant. Sakai simply generated a public/private tool pair for the tool in case the tool could not generate its own key pair but since Tsugi does generate a key pair, we use the pair provided by Tsugi instead of the pair generated by Sakai.

Once you have created or found an issuer in Tsugi, you can either edit an existing tenant/key ar make a new one. To enable LTI 1.3 launches, you need to select an issuer, set the deployment_id (always 1 on Sakai for now) and save the tenant/key.

You should be ready to use Lessons to place a tool in Sakai and do a launch. One fun aspect of Sakai is that once you set up a tool with both LTI 1.1 and LTI 1.3 values, you can switch back and forth between 1.1 and 1.3 launches by simply changing the LTI 1.3 radio button.