The new 3.X version of Shibboleth Identity Provider (IdP) software was released earlier this year, replacing the popular 2.X version which completed an end-of-life process on July 31, 2016. No further security updates or bug-fixes will be provided for Shibboleth version 2.X.
The CCC Technology Center (CCCTC) is upgrading the OpenCCC student gateway IdP (Shibboleth v.2.4.1, to version 3.1) on September 29 as part of its planned mid-year release (5.5). The CCCApply college staff IdP - which provides single sign-on (SSO) capability to the CCCApply Administrator and CCC Report Center, - is also being upgraded to version 3.1.
| Note |
|---|
| Recommendation for Colleges Colleges using Shibboleth will need to verify which version they are using and if using version 2.X, should consider upgrading to the latest version, if that hasn’t been completed. Shibboleth v2.X will become an unsupported version, and whileupgrading to v3.1 is not required, it is strongly encouraged.recommended. See below for more information on the benefits and requirements of upgrading the Shibboleth version 3 today! |
Mini-Grant Funding Available for Shibboleth v3 Upgrade
Colleges participating in one or more statewide technology programs, grant initiatives or pilot programs (CCCAssess, Online Educaion (OEI), or the Education Planning Initiative (EPI), will soon be connecting your college.f]be required to have the latest version of Shibboleth (v3.X) installed and integrated for both student and staff users.*
One of the requirements for participation in the California Community Colleges Single Sign-on Initiative (CCC SSO Federation) includes an upgrade their current 2.X version of Shibboleth Identity provider software to version 3.X in order to participate. In an effort to support participating colleges* a mini-grant program has been established to provide up to $5,000.00 in support, specifically for the purpose of upgrading to the latest version.. Click here to see the requirements for participation and apply for a mini-grant of $to support this colleges that choose to upgrade now funding support
The new Shibboleth IdP version 3.X includes many features and enhancements will soon need to go through a process to ensure that their campus system is compatible with the statewide IdP. This includes aligning the IdP and associated applications to support integration with statewide authentication services (SSO) for students and staff.
Colleges that have only one IdP configured for staff (ex: Shibboleth 2.X authenticating for staff to the CCCApply Administrator & Report Center) will be required to upgrade to Shibboleth version 3 in order to facilitate authentication capability for students, as well as admins and staff .
Failure to upgrade to the latest version 3.X of the Shibboleth Identity Provider software IdP could result in users and IT staff losing access to online federated apps and learning resources following the End-of-Life date. 9STAR team advises all organizations students losing access to secure CCC web applications within the CCC SSO Federation, including the new student services portal, MyPath, the common assessment system, CCCAssess, the Hobson's Ed Planning tools, and even Canvas, the statewide course management system.
The CCCTC recommends all colleges that are currently using the Shibboleth Identity Provider software , that they upgrade to the latest Shibboleth Identity Provider software version 3.X . The new Shibboleth IdP version 3.X includes in order to take advantage of the many features and enhancements that provideit provides:
- Improved security.
- Ease of management use and configuration.
- Greater interInter-operability with apps.
- and integration with other CCC application
Colleges can choose to upgrade Shibboleth Identity Provider software on their own (DIY), or contract with an approved vendor to perform the technical implementation. A one-time, $5K mini-grant stipend is available to support colleges who choose to work with a vendor for this implementation. NOTE: Working with an approved vendor means the college may experience delays in their project timelines. Vendors are working with colleges on a first-come, first-served basis. To learn more about working with an approved vendor to facilitate your Shibboleth Upgrade, read this.
One of the requirements for participation in the California Community Colleges Single Sign-on Initiative (CCC SSO Federation) includes ensuring your college IdP is aligned with the statewide IdP, facilitating authentication (SSO) for both students and staff. This requires colleges to either upgrade their current version of Shibboleth to version 3.X or implement a supported IdP software product (Portalguard) to authenticate students within and across CCC web applications.
Click here to see the requirements for participation and apply for a mini-grant of $to support this colleges that choose to upgrade now funding support
The Proxy IdP Project
The cornerstone of the statewide technology initiatives underway at the CCC Tech Center Tech Center portfolio of web applications is security, privacy and easeIn order to participate in the Failure to upgrade to Shibboleth V.3 could result in losing eligibility to participate in opportunities to participate in secure CCCID.
of Upgrading to version 3.X of the Shibboleth Identity Provider (IdP) software is strongly advised at this time. Failure to upgrade could result in colleges acould result in users and IT staff losing access to online federated apps and learning resources following the End-of-Life date. 9STAR team advises all organizations that are currently using the Shibboleth Identity Provider software, that they upgrade to the latest Shibboleth Identity Provider software version 3.X. The new Shibboleth IdP version 3.X includes many features and enhancements that provide:
- Improved security.
- Ease of management and configuration.
- Greater inter-operability with apps.
The CCCID will be necessary for accessing Canvas through a student services portal being developed by the CCC Education Planning Initiative. The portal, when fully developed, will be the entry point to systemwide services including the OEI Course Exchange, the common assessment system known as CCCAssess, and others.
Colleges using Canvas should already be storing the CCCID in their student information systems, and should immediately begin transferring that data into Canvas via CSV upload. This will be required for additional integration and participation in future OEI activities and other statewide technology initiatives, according to John Sills, OEI Program Manager.
Support for Colleges IT Staff
The CCCAssess team realizes the challenge of adding yet another project to the IT team’s full plate, and is working to make the conversion as smooth as possible, said John Hadad, Product Manager for the California Community Colleges (CCC) Common Assessment Initiative (CAI).
“IT teams are already running at full speed,” Hadad said. “Each college has local IT projects to implement and upgrades to their systems. Plus, the IT staff provides ongoing support of the network. CCCAssess does mean extra work but we are doing everything we can to reduce the pressure and provide support.”
What if we use other Identity Providers?
If a college does not use Shibboleth as its IdP, there are other steps that you may need to take. Colleges using PortalGuard, Ellucian and other IdP solutions will need to go through a process to ensure that their campus system is compatible with the statewide IdP. This includes aligning the IdP and associated applications to support the integration with the statewide authentication service.
Do you have more questions?
Additional information is available at the CCCAssess website at CCCAssess.org. You can also contact John Hadad directly at jhadad@ccctechcenter.org or 530-413-8583, and Monica Zalaket at mzalaket@ccctechcenter.org or 530-213-3677.