Versions Compared

Old Version 47

changes.mady.by.user Matt Schroeder

Saved on

compared with

New Version 48

changes.mady.by.user Patricia Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Simple Name and the SAMLv2 name when sent in the SAMLv2 responseShort descriptionExampleNotes

eduPersonPrimaryAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.5

Primary role at the institution
  • staff
  • student
  • faculty

Must be one of the values specified in eduPersonAffilliation. If the eduPersonAffiliation attribute has many values, the primary affiliation should reflect primary the users primary affiliation. i.e. a teacher aid may be a student and staff, but their primary role is a student.


street

urn:oid:2.5.4.9

Street address

303 Mulberry St.


locality .... urn:oid:2.5.4.7CityMetropolis
st .... urn:oid:2.5.4.8

State or Province name

CA
postalCode .... urn:oid:2.5.4.17Postal or zip code12345
homePhone .... urn:oid:0.9.2342.19200300.100.1.20Home Phone Number+1 212 555 1234
mobile .... urn:oid:0.9.2342.19200300.100.1.41Mobile Phone Number+1 775 555 6789

...

Anchor
Step-2
Step-2
STEP 2: Schedule kick-off call with the

...

SSO Integration Team 

At this point, before you can do some of the following steps, you need to contact the CCC Proxy Project SSO Integration Team to tell them that you are ready to add your college/district IdP to the SSO Proxy. There are several steps that the team needs to take to configure the SSO Proxy to be "ready" for the college/district IdP, and those need to happen before you download the metadata in the next step. Integration will start with the Pilot Proxy, and once that integration is successfully verified, then integration will move on to the Production Proxy.

The Proxy Project Team SSO Integration Team will also ensure, as part of this step, that they have obtained a copy of your college or district IdP metadata. Just as with CCCApply, the Proxy will need that metadata to be able to interact with your IdP.  If you have registered your college/district IdP with InCommon, the metadata can be obtained by the Proxy Team SSO Integration Team through InCommon. If not, and you are running the Shibboleth IdP, the right metadata may be available in the IdP's file metadata/idp-metadata.xml. Otherwise, you will need to work with the Proxy SSO Integration Team to get your metadata to them.

...

Info
titleContact Team
The CCC SSO Proxy Project Integration Team can be reached here: CCC Proxy Product Manager = Patricia Donohue, pdonohue@ccctechcenter.org; SSO Support Engineer = Matt Schroeder, mschroeder@ccctechcenter.org, Proxy Service & Technical Implementation Manager = Geneva PaliwodzinskiRodney Hinggpaliwodzinski@uniconrhing@unicon.net; CCC SSO Product Manager = Patricia Donohue, pdonohue@ccctechcenter.org;

...

Anchor
Step-3
Step-3
STEP 3: Configure your Identity Provider (IdP) to release the above attributes to the CCC SSO Proxy

...

Note
If you are running a Shibboleth IdP v3 server with the configuration changes made by Unicon, you will not need to make the following configuration changes because it has already been done for you. If you are not sure if these changes have been made already by Unicon, please contact the Proxy Project SSO Integration Team for confirmation.


For Shibboleth IdP
The new IdP v3 config that has been put in place includes consuming a CCC system-wide, centrally managed "attribute release file" (a central attribute-filter.xml file) from a HTTPS URL (with checking that the certificate matches for security.) The IdP automatically checks for updates for that file and if changes have been found will reload the file.  That "CCC-wide central attribute-filter.xml file" already contains the following attribute release rules for the proxy. You can tell if your IdP has that file by checking in the IdP's conf/ directory for the file 'conf/attribute-filter.ccccentral.xml'. Otherwise, add the following to the IdP's conf/attribute-filter.xml file, or however you configure attribute release in whatever SAML IdP software that you are using.
 

...

The "CCC-wide central metadata file"  contains the metadata for a number of CCC system-wide services, including the Proxy. You can tell if your IdP has that file by checking for the file in the IdP's metadata/ directory, the file 'metadata/ccc-central-metadata.xml'. Otherwise, you need to download the metadata for the CCC SSO Proxy from the following URLs (one for Pilot, one for Production). But do not try to download that metadata until completing Step 3 above.  

...

Just as with the CCCApply service, you will start with Pilot, and once that is working and you are given the "go-ahead", then download the metadata for Production. Note: you need to replace the 'nnn' at the end of each URL with the MIS code that applies to your district (if a district-wide IdP) or to the college (if a single college IdP). The CCC IdP Proxy Service Team The SSO Integration Team will confirm with you what that code will be for your IdP.

...

Info
Did Unicon setup or upgrade your Shibboleth V3 IdP?
Again, if you are running a Shibboleth IdP v3 server with the configuration changes made by Unicon, you won't need to perform the following step as automated consumption of that central CCC system-wide metadata file mentioned above is already in place. If you are not sure if these changes have already been made by Unicon, please contact the Proxy Project SSO Integration Team for confirmation.


Otherwise, if you are running Shibboleth IdP v3 without assistance from Unicon, you need to save the metadata file you obtained from the above URL as the file:

...

Code Block
	<!-- Pilot CCC IdP Proxy Metadata, locally maintained -->
	<MetadataProvider id="CCCIdPProxyPilot"  xsi:type="FilesystemMetadataProvider"
		metadataFile="%{idp.home}/metadata/ccc-idp-proxy-pilot-metadata.xml"/>
 
	<!-- Production CCC IdP Proxy Metadata, locally maintained -->
	<MetadataProvider id="CCCIdPProxyProduction"  xsi:type="FilesystemMetadataProvider"
		metadataFile="%{idp.home}/metadata/ccc-idp-proxy-production-metadata.xml"/>

...

Anchor
Step-6
Step-6
STEP 6: Coordinate with Unicon to add your IdP metadata to the proxy & other CCC Applications

A.  Add metadata to SSO Proxy (Pilot and Production)

Just as you are adding the CCC SSO Proxy metadata to your IdP, the metadata for your college's IdP will need to be added to the Proxy. Unicon will add your college's metadata to the Proxy in the Pilot environment and will confirm with you once this process has been completed. You will not be able to successfully move forward with testing until this step has been completed. Please forward a copy of your IdP metadata to:  Geneva Paliwodzinski, 

gpaliwodzinski@uniconB. Update metadata for staff authentication to your CCCApply Administrator & Report Center (Pilot and Production)

In addition to the proxy, we will coordinate the replacement of your existing CCCApply metadata used to authenticate your college staff to your CCCApply Administrator and Report Center applications in the Pilot and Production environments.  This step will happen concurrently with the proxy metadata upload and testing.

Please be aware: If you are doing a straight up Shibboleth V2 to V3 upgrade - whether you do it yourself or Unicon does it for you - we will simply replace your existing CCCApply metadata (in both environments) and there will be no change to the URLs you are using to access the CCCApply staff tools. However, if you change the name of your IdP, or if you switch to an alternative SAML-compliant IdP solution, such as Portal Guard, Ellucian, or ADFS, your current staff tools URLs will no longer work and you will be provided with new Administrator and Report Center URLs.  This information will be reviewed with you during the SSO Kick-Off meeting at the onset of this process, but it's important to note this here as a reminder.

Once your metadata is replaced for CCCApply in the Pilot environment, please test by having an authorized user login to either the CCCApply Administrator or Report Center. If successful, please let the SSO Integration team know that you are ready to test in Production.


Please forward a copy of your upgraded (or new) IdP metadata to:  Rodney Hing, rhing@unicon.net; cc: Patty Donohue, pdonohue@ccctechcenter.org 


...

Anchor
Step-7
Step-7
STEP 7: Test Your PILOT

...

Implementations (Proxy & CCCApply)

Once all the above steps have been completed in Pilot, you can test by using the following URLs.  Once the college/district and the Proxy Project the SSO Integration Team agree that all is working as it should with the Pilot integration, then the college/district and the Proxy Project Team the integration team can move on to Production. 

...

IMPORTANT: Replace the 'nnn' at the end of each URL with the MIS code that applies to your district (if a district-wide IdP) or to the college (if a single college IdP). The CCC SSO Proxy The SSO Integration Team will confirm with you what that code will be for your IdP.

...

Step D - Report Testing Feedback to CCC SSO Proxy Integration Team

After testing the Pilot Proxy URL, forward feedback to the CCC SSO Proxy teamIf testing the Pilot Proxy was successful, testing the Production Proxy URL is the final step.Integration team

If testing the Pilot Proxy was successful, testing the Production Proxy URL is the final step.



Info

Step E - For CCCApply: Using an authorized user account, login to the CCCApply Administrator in the Pilot environment.

If the login is successful, testing is complete. Please inform the SSO Integration Team that you are ready to test in Production. Note: Replacing your metadata in the CCCApply Production environment will be scheduled on a Friday evening. Please ensure that this step is coordinated through the SSO Integration team at the time  you confirm your Pilot login success. 


Anchor
Step-8
Step-8
STEP 8: Make appropriate metadata changes in Proxy Production

Once all the above steps have been completed in Pilot and testing is completed, you will need to make any metadata or configuration changes to the Production IdP environment in order to enable the changes. You will need to download the metadata for the CCC SSO Proxy, similar to the steps taken in Step 4 for Pilot,  from the following URL:

...

 Note: you need to replace the 'nnn' at the end of each URL with the MIS code that applies to your district (if a district-wide IdP) or to the college (if a single college IdP). 

The CCC IdP Proxy Service Team SSO Integration Team will confirm with you what that code will be for your IdP.Additional confirmation testing should occur once the changes have been made in Production to verify that the integration is still working as expected. Once this has been done, the integration with the Proxy is complete.

...