The Hack The Box (HTB) Enterprise Platform supports Learning Tools Interoperability (LTI) to enable seamless integration with Learning Management Systems (LMSs) like Canvas, Moodle, and any LMS that respects the LTI v1.3 specification. This article provides an overview of how LTI is implemented on the HTB Enterprise Platform side and what to expect from supported LMS workflows.
🔧 What’s Supported in Our LTI Implementation
LTI implementation for HTB Enterprise Platform will base all development around version 1.3 of the LTI specification for:
Deep Linking, lets teachers design courses by adding HTB Enterprise Platform content easily directly into their course. (The full spec on Deep Linking)
Dynamic Registration, is a way to make it easier and safer for schools or organizations to connect new learning tools to their learning platform. (The full spec on Dynamic Registration)
Assignment & Grade Service, allows LMSs to know of content completions on HTB Enterprise Platform that’s assigned to LMS courses. That information is displayed on LMS gradebook columns (called "line items") for different assignments or activities. (The full spec on Assignment & Grade Service).
LTI integration will automatically give access to the HTB Enterprise Platform to students enrolled to a course in order to play the assigned courses.
LTI implementation is strictly following the LTI specifications. No custom implementation related to a specific LMS is supported. The implementation considers a given that the connected LMS is fully LTI compliant.
Grading works for all content completed AFTER the LTI integration setup with the LMS. Any content completions done BEFORE the integration setup will not sync back to the LMS
👥 User roles and access in the HTB Enterprise Platform
Assigning users from your LMS to the HTB Enterprise Platform are mapped to 3 roles based on their assigned LTI specific role in your LMS as follows:
Administrator, that has full access to the HTB Enterprise Platform. Administrators can checkout all options of the platform. Administrators can create courses in the HTB Enteprise Platform - which are organized in Spaces - but these courses will not sync back to your LMS. Users are assigned the administrator role in the platform if they have the following LTI roles in your LMS:
Administrator
Account Admin
Moderator, that has full access to the HTB Enteprise Platform. Moderators can checkout all options of the platform but not the Company Settings and Subscriptions page. Moderators can create courses in the HTB Enteprise Platform - which are organized in Spaces - but these courses will not sync back to your LMS. Users are assigned the moderator role in the platform if they have the following LTI roles in your LMS:
Instructor (or Teacher)
Member, that can only access the assigned courses in the HTB Enterprise Platform. Members cannot navigate anywhere else but their assigned courses. To reach the assigned course page, members follow a link from your LMS. Users are assigned the member role in the platform if they have the following LTI roles in your LMS:
Member
Alumni
🎓 LTi Licensing and Seat Management
LTI works for Academy and Dedicated Labs content when in a Bundle license. This means that:
The organization integrating over LTI with an LMS will do so only for a bundle license; there’s no way to integrate LTI on individual Academy or Dedicated Lab licenses in the same organization.
LTI integration will allow for courses creation with Modules, Machines, Sherlocks, and Challenges. The implementation is using HTB Enterprise Platform Spaces to build the related courses, so for LMS courses containing both Modules and Machines/Sherlocks/Challenges, two Spaces will be created on the HTB Enterprise Platform side: one under Academy Labs and another one under Dedicated Labs.
Seat allocation over LTI integration follows these rules:
Creating a course in LMS and assigning students does NOT allocate a seat.
Seat allocation happens when the student actually clicks on a specific course (Module, Machine, Sherlock, Challenge) and is entering the HTB Enterprise Platform to take that course.
If all seats of the bundle license are assigned, then when a student completes a course on HTB Enterprise Platform (owns a Module, Machine, Sherlock, Challenge), remove that student from the seat.
Why OIDC (instead of SAML)?
While both SAML and OpenID Connect (OIDC) can suffer from cross-platform security exposure when one side is misconfigured, their attack surfaces differ significantly.
SAML faces complex XML-based vulnerabilities like signature wrapping attacks and XML injection, which can enable attackers to forge authentication responses and gain lateral movement across all federated services, with the compromise of the identity provider signing keys, potentially exposing the entire trust ecosystem.
OIDC has a considerably smaller and more manageable attack surface due to its stricter specification and JSON-based tokens, but misconfigurations around token validation, audience verification, and trust relationships can still enable cross-tenant attacks and unauthorized access, though these issues are generally easier to identify and remediate than SAML’s XML security complexities.