Versions Compared

Old Version 49

changes.mady.by.user Patricia Donohue

Saved on

compared with

New Version 50

changes.mady.by.user Patricia Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Last Update: June 19, 2021

...

Overview

The purpose of the California Community Colleges Single Sign-on Federation (OpenCCC SSO) is to provide secure, scalable, and integrated technology solutions for the California Community Colleges and its students that take advantage of economies of scale and facilitated by governance from the colleges themselves. The CCC SSO Federation offers a common framework for shared management of access to OpenCCC resources and secure web applications. . 

Through partnership with the InCommon Federation, college Identity Providers can give their users single sign-on convenience and privacy protection, while online Service Providers control access to their protected resources.

Contents:

Table of Contents
maxLevel1
absoluteUrltrue

Federated Identity Management

Federated Identity allows the sharing of information about users (students and college faculty/staff) from one secure domain to the other organizations in a federation. This allows for cross-domain single sign-on capability and removes the need for content providers to maintain user names and passwords. Identity providers (IdP) supply user information, while service providers (SP) consume the information and give access to secure content.

Single Sign On (SSO)

Single Sign On (SSO) is a session and user authentication process that permits an end-user to log in to a single portal and access multiple applications seamlessly using only one set of credentials (one username and password) without having to sign-in to each application separately. Single sign-on increases security, reduces multiple login prompts and provides end users with a convenient, usable method of accessing all of their accounts.

For example, when CCC students are configured for SSO, they can login to one application, such as MyPath, the Student Services Portal, and then access multiple different web applications, such as Canvas Course Management System (CMS), CCCAssess, and CCCApply, without having to login to each of the applications individually. 

The SSO process involves authentication and authorization. Authentication is a confirmation that the person logging in is the person they claim to be. Authorization is a confirmation that the logged-in person is authorized to access a particular "resource" (i.e. MyPath Portal, etc.). The Tech Center has implemented a SSO proxy process to facilitate streamline integration for current and future applications. 

...

Minimum Required Attributes for OpenCCC SSO

Simple Name and the SAMLv2 name when sent in the SAMLv2 response

Short description

Sample value(s)

Description

eduPersonPrincipalName (EPPN)

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

The primary federated identifier of a given user from a college/district IdP.

jsmith@idp.college.edu

EPPN has the syntax of an email address, but it should be considered a "globally unique federated identifier" rather than an email address. It is generally the most important attribute to be shared with federated services. This value is usually automatically generated by the identity provider. Most typically it made up using the userid the user logged in with combined with the @ sign then the domain name associated with the IDP.

eduPersonAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

Role within the college/district

  • staff

  • student

  • member

All of the roles a given person has within the college.

uid

urn:oid:0.9.2342.19200300.100.1.1

Username

jsmith

This is usually the value that the user fills in as their username when they login.

givenName

urn:oid:2.5.4.42

First Name

Jane


sn (surname)

urn:oid:2.5.4.4

Last Name

Smith


displayName

urn:oid:2.16.840.1.113730.3.1.241

Full name to display

Jane Smith


mail (email)

urn:oid:0.9.2342.19200300.100.1.3

Email Address

jane.smith@college.edu


cccId 

Unique id for a student within the CCC system

 AXC9876

The CCCID is a critical attribute for students. If the Identity provider cannot provide a CCCID, the SSO Proxy will lookup the users CCCID or prompt the user to recover or create the CCCID if it cannot be found.

Configure Optional Attributes

These are optional attributes that can be sent by the college. One example use is that these can be used to pre-populate values when the user is required to create a central CCCID account.

Simple Name and the SAMLv2 name when sent in the SAMLv2 response

Short description

Example

Notes

eduPersonPrimaryAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.5

Primary role at the institution

  • staff

  • student

  • faculty

Must be one of the values specified in eduPersonAffilliation. If the eduPersonAffiliation attribute has many values, the primary affiliation should reflect the role to be associated with services that differentiate based on this value (such as the CCC Portal).

street

urn:oid:2.5.4.9

Street address

303 Mulberry St.


locality .... urn:oid:2.5.4.7

City

Metropolis


st .... urn:oid:2.5.4.8

State or Province name

CA


postalCode .... urn:oid:2.5.4.17

Postal or zip code

12345


homePhone .... urn:oid:0.9.2342.19200300.100.1.20

Home Phone Number

+1 212 555 1234


mobile .... urn:oid:0.9.2342.19200300.100.1.41

Mobile Phone Number

+1 775 555 6789

...


Panel
panelIconIdatlassian-warning
panelIcon:warning:
bgColor#FFFFFF

Why implement SSO?

Implementing a SSO solution is a requirement of the CCC SSO Federation and allows participating California Community Colleges to take full advantage of the products and services offered by the CCC Technology Center (CCCTC). SSO allows students, faculty and staff to access these service using the login credentials they already use at the college or district.

...

CCC SSO Federation

The CCC SSO Federation is a shared federation of California Community Colleges based on a secure single sign-on. Each participating college will be required to stand up a SAML compliant Identity Provider to authenticate their user population to secure CCC web applications services in the SSO Federation. Currently, the CCC Technology Center supports Shibboleth IdP software and Portal Guard IdP; however colleges may choose to use another IdP solution with built-in support services, such as Ellucian.  For more information on the IdP solutions supported by the Tech Center, see Supported IdP Solutions below.

...

  • Integration with the CCC College Adapter (under-development)

  • MyPath Student Services Portal

  • CCCAssess 

  • EMSI Career Coach

  • Canvas CMS

  • Hobsons/Starfish Degree Audit Systems

...

Some key functions of the CCCID:

  • The CCCID is generated when a student sets up an OpenCCC account and commonly passed to the college in the CCCApply data download.

  • The CCCID is then stored in the college’s SIS or college LDAP/Active Directory

  • The CCCID is passed as an attribute from the college’s IdP to the systemwide applications SP (i.e. Canvas, CCCAssess, MyPath, etc.)

  • The CCCID is used by the systemwide application to identify the student.

The main linking mechanism between user accounts in the Identity Center and applications and services running in the cloud is the CCCID, a seven character ID composed of three alphabetic characters (A-Z, excluding O and I) and 4 numbers (0-9). This results in an account identifier with more than 130 million combinations that is easy for a person to remember if it was ever necessary. Example: SWD3986

...

The CCCID is used for multiple purposes across the California Community Colleges system. The CCC Chancellor's Office and other systemwide organizations rely on the CCCID to track progress and the educational choices made by student across the course of their academic journey. Students that attend multiple colleges across the system are tracked in one central location (OpenCCC Student Account System) and their CCCID will be used for research (locally and systemwide) to better align support and services across the system.

...

Panel
panelIconIdatlassian-warning
panelIcon:warning:
bgColor#F4F5F7

In order to track students through their CCCID, the objective of the SSO Proxy is to ensure that every CCC student has a CCCID. Therefore, as part of the SSO Proxy integration, it is strongly recommended that colleges store the CCCID in their Active Directory or LDAP directory in order to pass this attribute with the EPPN with the student user session when authenticating to a CCC web application, such as CCCAssess, Canvas and MyPath.

...

Anchor
Shibboleth-IdP
Shibboleth-IdP
Recommended IdP Solutions

To participate in the CCC SSO Federation, colleges must implement a SAML2-compliant Identity Provider (IdP) solution that meets the minimum requirements of the CCC SSO Initiative. 

...

Anchor
what-is-shib
what-is-shib
Shibboleth IdP

Shibboleth Identity Provider is the most widely used SAML2 compliant identity provider in higher education and is a supported SSO solution of the CCC SSO Federation. It allows sign in using just one identity (username and password), connecting users to applications both within and between federations of organizations and institutions.

...

For more information on SSO Proxy, please refer to CCC Single Sign-On Technical Implementation Guide

What is the InCommon Federation?

InCommon, operated by Internet2, provides a trust fabric for higher education, their vendors, and partners to facilitate single sign on from local campus accounts. InCommon also operates a related assurance program, and offers security certificate and multi-factor authentication services. 

...