| Request No. | 2018-35 |
|---|---|
| Date of Request | June 27, 2018 |
| Requester | Dave Stephens - Butte College |
| Application(s) | SSO Proxy / OpenCCC Account Creation |
| Section / Page | Proxy |
| Steering Hearing Date | TBD |
| Proposed Change to Download File | N/A |
| Proposed Change to Residency Logic | N/A |
| Table of Contents |
|---|
Problem / Issue
Butte College has completed proxy integration and is preparing to implement the proxy workflow for students (and staff/faculty) using Canvas LMS.
In June 2018, Butte raised concerns about the proxy design and workflow to the CCCTC Enabling Services team - who called a meeting with Butte College representatives to determine what can be done to resolve them.
For context, here is a brief description of what the proxy is and it's current workflow:
has complainedWhat's the purpose of the proxy?
The purpose of the SSO proxy is to ensure every CCC student has an OpenCCC account and is passing their CCC systemwide CCCID when accessing and utilizing systemwide technology applications. Since the implementation of the OpenCCC Student Account system, over six million students have been issued a CCCID, the CCC systemwide account identifier which is intended to identify and track the student across colleges and applications throughout their educational journey/career in the California Community Colleges
system. Though the majority of current students across the system have created an OpenCCC account when they apply to a college, there are still students who did not create an OpenCCC account for a variety of reasons.
Furthermore, the proxy is only interested in identifying and storing CCCIDs for students. Staff and faculty should not encounter the proxy unless their they are also students in some capacity.
How does it work?
Every time a student attempts to access one of the systemwide technology applications, such as MyPath, Canvas LMS, Course Exchange, etc., the proxy looks for the CCCID in the IdP sessions metadata and passes it to the application. If the proxy cannot find the CCCID in the metadata, it will re-direct the student to the OpenCCC/Proxy Sign-In page and prompt the student to either sign-in with their OpenCCC user account credentials, or recover their account credentials and sign-in, or create an account - if the student doesn't have an OpenCCC account. This redirect and subsequent process to obtain an account or sign-in is a one-time process. The student will only encounter this process once; the proxy will collect and store their CCCID and will not re-direct the student again.
What does the college need to do?
Since 2016, the CCC Technology Center has been working with every college's IT/Systems department to ensure their student Identity Provider service (IdP) is configured properly with the SSO proxy (aka proxy integration) and passing the necessary attributes, including the CCCID, to facilitate single sign on within the CCC systemwide technology applications.
Among the technical requirements, colleges must ensure their students CCCIDs are stored in their user directory (i.e., Active Directory, LDAP, etc.) so that it can be passed with the IdP.
If the college does not configure their IdP to pass the student's CCCID attribute along with the other required attributes, every student will encounter the SSO proxy the first time they access a systemwide technology application. Colleges can prevent the proxy from triggering at all if the college configures their IdP properly and passes the required attributes, including the CCCID.
Butte Colleges has raised concerns that the current design and implementation of the SSO Proxy is problematic and creating barriers for students when they encounter the Proxy if the college doesn't pass the student's CCCID with their EPPN in their IdP metadata, which is a requirement of the Proxy Integration.
The proxy team proposes the following changes to the process and technology:
- Short-term - implement a visual
- Fix the EPPN > CCCID report in the Report Center (add the College ID, submit timestamp) - Add a timestamp to Account Creation (September 2018)
Could the ePPN be used to create accounts?
Focus on getting all students their OpenCCC the CCCID
Do we have any deadlines and driving need to get this done? YES - Canvas LMS implementation has now required colleges to integrate with, and use, the proxy service to pass students through to Canvas.
Franz’s suggestion: CCCID short process - on proxy redirect. Create a very short version of OpenCCC Account Creation, basically to get the user a CCCID and continue them on their way to their end point.
Suggestions: Username = personal email address? Password, and DOB.
The rest of the data could be auto-populated by the college's metadata (First + Last, street, student ID?)
Proposed Solution
Focus on getting all students their OpenCCC the CCCID
Setup a campaign with the ES team - to encourage colleges to implement
Staff is identified correctly with the correct metadata attribute(s)
Active Directory is configured to pass the correct
Part of this plan - whitelist all Canvas URLs while implementing a campaign to encourage colleges and students to get their CCCID
Another suggestion:
Matt Schroeder suggests: A count-down issue > redirected to a page that says you do not have a CCCID but let them get through the first 5 times and each time give a warning to the student. That they will have to do it.
Proxy would be presenting that page - counting down the number of tries left - they would be sending the EPPN regardless - has gone through the proxy you should uniquely identify them;
Still complies with the design of the proxy - but would be least impactful
Implement a notification back to the college if the student hits the proxy and no CCCID is passed - put the responsibility on the college to follow-up, get the CCCID,
What it would do: It will allow a student without a CCCID to continue to their endpoint without logging in, recovering, or creating their account at that moment - and notify the college that the student hasn’t passed their CCCID