Versions Compared

Old Version 32

changes.mady.by.user Parker Neff

Saved on

compared with

New Version 33

changes.mady.by.user Patricia Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide provides step-by-step instructions for integrating with the CCC SSO Proxy service and should be used in conjunction with the /wiki/spaces/CSF/pages/137363670 to ensure all technical and operational requirements have been met. The process can also be visualized on the Proxy Integration Workflow diagram.

Table of Contents

Overview

The CCC SSO Proxy service was created to accomplish several things:

...

Note: if you are running Shibboleth IdP v3 software with the standard configuration that Unicon has been putting into the IdPv3 installs, you only need to perform Steps 3 and 6 below in order to integrate with the proxy. Your IdP has already been configured to consume both the metadata for the proxy – contained within the CCC central metadata file distribution (ccc-metdata.xml) – and the attribute release rules needed for the proxy, contained within the CCC central attribute filter file (attribute-filter.ccccentral.xml). Otherwise, you need to perform all of the following steps.

Anchor
Step-1
Step-1
STEP 1: Understand and make sure you have the following attributes available

These attributes are described in more detail in the accompanying wiki page entitled "Attributes for CCC SSO Federated Access". In particular, the critically important  eduPersonPrincipalName (EPPN) attribute is described more fully in that wiki page. A few sample definitions of creating, or "resolving", these attributes in a Shibboleth IdP v3 server can be found on the wiki page "Shibboleth IdP v3 Attribute Resolver Configuration".

...

Simple Name and the SAMLv2 name when sent in the SAMLv2 responseShort descriptionExample

street

urn:oid:2.5.4.9

Street address

303 Mulberry St.

locality .... urn:oid:2.5.4.7CityMetropolis
st .... urn:oid:2.5.4.8

State or Province name

CA
postalCode .... urn:oid:2.5.4.17Postal or zip code12345
homePhone .... urn:oid:0.9.2342.19200300.100.1.20Home Phone Number+1 212 555 1234
mobile .... urn:oid:0.9.2342.19200300.100.1.41Mobile Phone Number+1 775 555 6789

...

Anchor
Step-2
Step-2
STEP 2: Schedule kick-off call with the Proxy Project Team 

At this point, before you can do some of the following steps, you need to contact the CCC Proxy Project Team to tell them that you are ready to add your college/district IdP to the SSO Proxy. There are several steps that the team needs to take to configure the SSO Proxy to be "ready" for the college/district IdP, and those need to happen before you download the metadata in the next step. Integration will start with the Pilot Proxy, and once that integration is successfully verified, then integration will move on to the Production Proxy.

...

Info
titleContact Team
The CCC SSO Proxy Project Team can be reached here: CCC Proxy Product Manager = Patricia Donohue, pdonohue@ccctechcenter.org; Proxy Service & Technical Implementation Manager = Geneva Paliwodzinski, gpaliwodzinski@unicon.net 

...

Anchor
Step-3
Step-3
STEP 3: Configure your Identity Provider (IdP) to release the above attributes to the CCC SSO Proxy

Based on the IdP solution you are running, a few configuration changes need to be made to your IdP.  (NOTE: The information in this section is geared towards Shibboleth V3 IdP users. If you are using a different Identity Provider (IdP) solution, please follow the links below for instructions specific to your IdP.  Then return to this document to ensure you've completed the remaining integration and testing steps. 

...

Code Block
<!-- 
     Release all required and optional attributes, for any service, 
     to the CCC IdP Proxy, so it in turn can release only the
     needed attributes to the services on the other side
     of the IdP Proxy. All attributes will not be sent to all services,
     just the needed ones for a given service. The attributes here should
     constitute a "union" of all possible attributes for any service.
-->
<AttributeFilterPolicy id="CCCWideReleaseForIdPProxy">
	<PolicyRequirementRule xsi:type="OR">
		<Rule xsi:type="Requester" value="https://sso.ci.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
		<Rule xsi:type="Requester" value="https://sso.test.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
		<Rule xsi:type="Requester" value="https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
		<Rule xsi:type="Requester" value="https://sso.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
	</PolicyRequirementRule>
	<AttributeRule attributeID="eduPersonPrincipalName">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="uid">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="email">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="givenName">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="surname">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="displayName">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="eduPersonAffiliation">
		<PermitValueRule xsi:type="OR">
			<Rule xsi:type="Value" value="faculty" ignoreCase="true"/>
			<Rule xsi:type="Value" value="student" ignoreCase="true"/>
			<Rule xsi:type="Value" value="staff" ignoreCase="true"/>
			<Rule xsi:type="Value" value="alum" ignoreCase="true"/>
			<Rule xsi:type="Value" value="member" ignoreCase="true"/>
			<Rule xsi:type="Value" value="affiliate" ignoreCase="true"/>
			<Rule xsi:type="Value" value="employee" ignoreCase="true"/>
			<Rule xsi:type="Value" value="library-walk-in" ignoreCase="true"/>
		</PermitValueRule>
	</AttributeRule>
	<AttributeRule attributeID="eduPersonPrimaryAffiliation">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>

	<!-- CCC specific attributes -->
	<AttributeRule attributeID="cccId">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="cccMisCode">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>

	<!-- Less likely attributes to be populated, but release if available -->
	<AttributeRule attributeID="mobileNumber">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="homePhone">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="telephoneNumber">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="postalAddress">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="street">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="locality">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="stateProvince">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="postalCode">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
</AttributeFilterPolicy>

...

Anchor
Step-4
Step-4
STEP 4: Configure your Identity Provider to consume the metadata for the CCC SSO Proxy

Info
titleOptional Step

If you are running a Shibboleth IdP v3 server, with the configuration changes made by Unicon, or if your Identity Provider is configured to consume metadata from InCommon, your IDP will already have access to the SSO Proxy SAML metadata and you can skip this step.

...

Pilothttps://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php/MISnnn
Productionhttps://sso.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php/MISnnn

...

Anchor
Step-5
Step-5
STEP 5: Add the Proxy metadata to your college/district IdP


Info
Did Unicon setup or upgrade your Shibboleth V3 IdP?
Again, if you are running a Shibboleth IdP v3 server with the configuration changes made by Unicon, you won't need to perform the following step as automated consumption of that central CCC system-wide metadata file mentioned above is already in place. If you are not sure if these changes have already been made by Unicon, please contact the Proxy Project Team for confirmation.

...

Code Block
	<!-- Pilot CCC IdP Proxy Metadata, locally maintained -->
	<MetadataProvider id="CCCIdPProxyPilot"  xsi:type="FilesystemMetadataProvider"
		metadataFile="%{idp.home}/metadata/ccc-idp-proxy-pilot-metadata.xml"/>
 
	<!-- Production CCC IdP Proxy Metadata, locally maintained -->
	<MetadataProvider id="CCCIdPProxyProduction"  xsi:type="FilesystemMetadataProvider"
		metadataFile="%{idp.home}/metadata/ccc-idp-proxy-production-metadata.xml"/>

...

Anchor
Step-6
Step-6
STEP 6: Coordinate with Unicon to add your IdP metadata to the CCC SSO Proxy

Just as you are adding the CCC SSO Proxy metadata to your IdP, the metadata for your college's IdP will need to be added to the Proxy. Unicon will add your college's metadata to the Proxy in the Pilot environment and will confirm with you once this process has been completed. You will not be able to successfully move forward with testing until this step has been completed. 

Please forward a copy of your IdP metadata to:  Geneva Paliwodzinski, gpaliwodzinski@unicon.net; cc: Patty Donohue, pdonohue@ccctechcenter.org 


...

Anchor
Step-7
Step-7
STEP 7: Test Your PILOT Implementation

Once all the above steps have been completed in Pilot, you can test by using the following URLs.  Once the college/district and the Proxy Project Team agree that all is working as it should with the Pilot integration, then the college/district and the Proxy Project Team can move on to Production. 

...