1

One of my clients sent me a xAPI course which is created using Articulate Storyline 360 and published as Tin Can API for LMS. I am able to launch the course using method mentioned in below link:

Incorporating a Tin Can LRS into an LMS

So using the above method the launch URL looks like:

http://my.lms.com/TCActivityProvider/story.html

?endpoint=http://my.lms.com/lrs/endpoint/

&auth=Basic OjFjMGY4NTYxNzUwOGI4YWY0NjFkNzU5MWUxMzE1ZGQ1

&actor={"name": ["First Last"], "mbox": ["mailto:firstlast@mycompany.com"]}

&activity_id=61XkSYC1ht2_course_id

&registration=760e3480-ba55-4991-94b0-01820dbd23a2

Using the above URL which has an endpoint and credentials information, the course gets launched successfully and sents xAPI statements to LRS automatically.

But I don't want to send the parameters like auth, actor or endpoint in the URL for security reasons.

I googled for an alternative method and found the adlnet/xapi-launch and adlnet/xAPIWrapper library.

I explored the above two libraries but am confused about how it can be integrated into the LMS?

Does Articulate Storyline 360 support adlnet/xAPIWrapper?

Chinmay Waghmare
  • 5,368
  • 2
  • 43
  • 68

1 Answers1

1

The adlnet/xAPIWrapper is just a library that makes it easier to communicate with the LRS and requires you to determine how the endpoint and authentication credentials will be passed to the library. In other words it isn't necessarily intended to be used via LMS launch (it will work there, but doesn't have special handling for it). The xapi-launch specification you found as far as I know (at this time) has effectively zero adoption.

The other alternative would be to use cmi5 which is another specification that includes the concepts of packaging, import and launch for content that communicates via xAPI. It uses a different credential handshake process that is similar to both the launch guidelines you linked and the xapi-launch method. It uses query string parameters for the endpoint, but the LRS credentials are accessed via a separate, single use request. It has better adoption (though still early at this time), has been peer reviewed, is under the ADL umbrella, and is on more of a standards path. See https://xapi.com/cmi5/ for more about cmi5. I don't believe Articulate has yet implemented cmi5 in their products (at this time) as they are waiting for more indication for market desire, you should contact them about your interest in it if you feel it is a suitable option.

Brian J. Miller
  • 2,169
  • 1
  • 12
  • 12
  • So do you mean that sending those credentials in the URL is the only thing I can do at the moment? But by doing that user can easily change the actor information in the URL right? Isn't that improper? – Chinmay Waghmare May 14 '18 at 04:34
  • The `actor` is separate from the LRS credentials anyway, but yes they could change either, but in a browser context using JS they are going to be able to do that anyways. The larger concern around the query string parameters should be the ease with which they can be intercepted and/or passed on (which cmi5 largely solves). cmi5 also solves the issue of the core statements (those defined by the profile) needing to have a matching `actor` for the given session. Note it isn't necessarily invalid for content to send statements about a different `actor` (even in cmi5, via "allowed statements"). – Brian J. Miller May 15 '18 at 12:48