🆔 HUB Identity

Single Sign On HUB.Educational

HUB.Educational SSO ( Single Sign On) is a tool used to integrate HUB access with other applications, be they web or mobile.


Requirement: Application registered at HUB.Educational .

  1. Access the HUB.Educational authentication service by passing client_id, redirect_uri e launch_method.
  2. Using his credentials, the user authenticates in the HUB.Educational , then a list of user profiles associated with institutions using the application informed in client_id.
  3. The User clicks on the profile that he wants to launch the application.
  4. The HUB.Educational prepares an LTI package for initialization, and redirects to the application's initialization URL. If the parameters redirect_uri and launch_method informed, the Hub will use these values ​​for initialization, otherwise it will use its default values.
  5. The application, upon receiving the initialization request, must read the informed LTI package, validate the package, and then access the application with the necessary resources for the user of the identified profile.

HUB.Educational SSO

To start the HUB.Educational SSO , it is necessary to access the HUB.Educational authentication service by passing the following parameters in the URL: client_id, redirect_uri (optional) and launch_method (optional).

  • client_id**:** Hub application identification (client ID)
  • redirect_uri**:** Address for redirecting / launching the application. If not informed, it assumes the value of the initialization URL saved in the application's registration.
  • launch_method**:** Boot method. GET or POST value. If not informed, it defaults to POST value.

Example (**HUB.Educational SSO host: ssohub.educacional.com):**


In this example, the values ​​of client_id, redirect_uri and launch_method were informed as follows:

After user authentication, the HUB will display a list of access profiles for that user whose institution is related to the hub.tools.saltire.tool application. The user then chooses one of the profiles he wants to access the application by clicking on the selected profile.

The HUB.Educational creates an LTI package from that profile and redirects it to the application through a POST request to the startup URL configured in the application configuration area. If the values ​​of redirect_uri and launch_method have been entered, the HUB uses these values ​​in the redirection.

The application that will receive the initializations must provide HTTP endpoints that support LTI 1.1 initialization in POST or GET methods. It is recommended to use the POST method by default, however, for some cases it is not possible to perform the initialization via HTTP POST, being necessary to use the GET method as will be described in Mobile Applications.

Web applications

Web applications are usually built on the HTTP protocol, the boot endpoint is nothing more than an HTTP endpoint with a POST method that will preferably receive an LTI package according to the specifications.

Mobile Applications

Mobile applications (Ex .: Android, IOS) use other native (non-web) standards to open the application, the use of HTTP POST is not supported. However, these systems provide options for launching the native application from URLs, called Deeplink. These links or URLs are compatible with a common GET request, containing an address and parameters in the URL itself that will be passed on to the application by the operating system. This functionality can be used to redirect the user directly to a resource or to a specific screen of the native application.

On Android, this functionality is called App Link. On iOS it is implemented using URL scheme. Below are links to their official documentation. The general idea is that, in the native application, a website address (preferably the application's web page) be configured to be associated with it. For example, let's say there is the MyGreatApp app, the same configured https://myapp.com/ for startup using android app link or ios url scheme, when the user accesses https://myapp.com/ in the web browser of his smartphone, his system will identify that this address is associated the MyGreatApp application and can launch that app. Likewise, if the user accesses https://myapp.com/?paramA=1234&paramB=HubEducacional, the MyGreatApp application will be launched and paramA=1234 and paramB=HubEducaciona will be passed to the application that will be able to access its values.

Using this functionality, the SSO HUB.Educational initializes the mobile application passing the parameters of the LTI package as URL parameters, as in a GET request, thus, the SSO must be accessed informing launch_method mandatorily as GET, and redirect_uri must be the address of the scheme configured in the application.


App Link https://developer.android.com/studio/write/app-link-indexing


URL scheme https://developer.apple.com/documentation/uikit/inter-process_communication/allowing_apps_and_websites_to_link_to_your_content/defining_a_custom_url_scheme_for_your_app

Integration with HUB.Educational with LTI 1.1

To open an application through HUB.Educational , the HUB sends an LTI 1.1 package to the application, which upon receipt, must validate this initialization request and provide the necessary resources for the user.

An LTI 1.1 package is just a request signed by OAuth1 with some mandatory additional parameters regarding the LTI standard.


For more information about the LTI package, go to the 📖 LTI section, this document describes the LTI 1.1 standard, along with details, tips and information on the implementation of the standard and on HUB.Educational integration.

What's Next