Versions Compared

Old Version 17

changes.mady.by.user Patricia Donohue

Saved on

compared with

New Version Current

changes.mady.by.user Chris Franz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel3
minLevel3

SAML EntityIDs and Assertion Consumer Endpoints (ACS) for the

...

SSO GW

There are two instances of the CCC SSO Proxy GW that you must configure attribute release to, a Pilot and a Production instance. The entityID for each is:

  Proxy SSO GW Pilot:  

  • Entity ID: https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php
  • ACS: https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/saml2-acs.php/MISnnn

      ...

        • Replace nnn above with your 3 digit MIS code i.e. MIS260

        SSO GW Production: 

      ...

      Metadata for the Proxy

      You can obtain the needed metadata for the above two Proxy instances by downloading the CCC Central Metadata feed and looking for the above two entityIDs within it. The other option is to ask the Proxy administrators for a URL specific to your college/district that would give you metadata for just each of the above two entityIDs. The CCC Central Metadata feed is available at:

       http://saml.cccmypath.org/metadata/ccc-metadata.xml

      Portalguard server metadata location

      https://yourserver.edu/sso/metadata.ashx

      Configure Attributes

      Launch the Identity Provider Configuration Editor and select your "SAML Websites" settings or create a new one.  Select the "Identity Claims" tab and "Create" a new claim.

      Image Added

      Create claims for the required attributes listed below.  In the example above, EPPN has the schema: urn:oid:1.3.6.1.4.1.5923.1.1.1.6.  Field Name maps to your Active Directory field that stores the attribute.  In this example we

      are using userPrincipalName for the EPPN.  If you decide to use sAMAccountName over UPN, the sAMAccountName doesn't have the domain information by default and this is required to insure you user id's are unique.  To add your domain information to the sAMAccountName do the following.

      Select Formatted String from the "Value type"  Use the below example, replace college.edu with your domain name.
      [sAMAccountName]@college.edu

      Image Added

      For cccId the schema is https://www.openccc.net/saml/attributes/cccId 

      In this example I have my cccId in Active Directory stored under the Description field.  Description would be added to the "Field Name" under the Direct Field tab.

      Use the above two examples to complete the rest of the required attributes and map them to your Active Directory fields.

      You can manually modify the settings <YOUR.INSTALLATION.FOLDER>\PistolStar\PortalGuard\Policies


      Please ensure you understand and configure all of the following attributes for release to the above entityIDs.

      Simple Name and the SAMLv2 name when sent in the SAMLv2 responseShort descriptionSample value(s)Description

      eduPersonPrincipalName (EPPN)


      urn:oid:1.3.6.1.4.1.5923.1.1.1.6

      		The primary federated identifier of a given user from a college/district IdP.

      jsmith@college.edu

      12345678@college.edu


      EPPN has the syntax of an email address, but it should be considered a "globally unique federated identifier" rather than an email address. It is generally the most important attribute to be shared with federated services. Note that the value of EPPN does not have to match what the user fills in as their username when they login, and the user does not need to know what their EPPN is, as it is shared between the IdP and the service. It should be unique, rarely change, and not be reassigned to another person.

      eduPersonAffiliation

      urn:oid:1.3.6.1.4.1.5923.1.1.1.1

      		Role within the institution
      • staff
      • student
      • member

      All of the roles a given person has within the college. This is the only attribute listed here that is intended to have multiple values. All the rest are expected to have a single value.

      eduPersonPrimaryAffiliation

      urn:oid:1.3.6.1.4.1.5923.1.1.1.5

      		Primary role at the institution
    • staff
    • student
      • faculty

      Must be one of the values specified in eduPersonAffilliation. If the eduPersonAffiliation attribute has many values, the primary affiliation should reflect the role to be associated with services that differentiate based on this value (such as the CCC Portal).

      uid

      urn:oid:0.9.2342.19200300.100.1.1

      		UsernamejsmithThis is usually the value that the user fills in as their username when they login. If you are using AD, the usual attribute you want to use to populate uid is the sAMAccountName attribute.

      givenName ..... urn:oid:2.5.4.42

      		First NameJane

      sn (surname) .... urn:oid:2.5.4.4

      		Last NameSmith

      displayName

      urn:oid:2.16.840.1.113730.3.1.241

      Full name to display

      		Jane Smith

      mail (email)

      urn:oid:0.9.2342.19200300.100.1.3

      		Email Addressjane.smith@college.edu

      cccId

      https://www.openccc.net/

      saml/attributes/cccId


      		Unique id for a student within the CCC system
      		The CCCID is a critical attribute for students. If not specified, but required for a portal or service action, the CCCID will be looked up via the EPPN. If no match is found, the action cannot be performed until the user creates a CCCID via the OpenCCC portlet.

      OPTIONAL Attributes

      eduPersonPrimaryAffiliation

      urn:oid:1.3.6.1.4.1.5923.1.1.1.5


      		Primary role at the institution
      • staff
      • student
      • faculty
      		Must be one of the values specified in eduPersonAffilliation. If the eduPersonAffiliation attribute has many values, the primary affiliation should reflect the role to be associated with services that differentiate based on this value (such as the CCC Portal).

      street

      urn:oid:2.5.4.9

      		Street address

      303 Mulberry St.


      locality .... urn:oid:2.5.4.7CityMetropolis
      st .... urn:oid:2.5.4.8

      State or Province name

      		CA
      postalCode .... urn:oid:2.5.4.17Postal or zip code12345
      homePhone .... urn:oid:0.9.2342.19200300.100.1.20Home Phone Number+1 212 555 1234
      mobile .... urn:oid:0.9.2342.19200300.100.1.41Mobile Phone Number+1 775 555 6789



      Tech Center Notes:

      PortalGuard's metadata doesn't have all of the information necessary for the SSO SSO GW.  Use the attached metadata template and modify the supplied metadata from the college before adding metadata to the SSO GW server.

      View file
      namemetadata_template.ashx
      height250

      Info
      Go or return to Step 4: Configure your IdP to consume the metadata for the ProxySSO GW on the "Steps to Integrate with the CCC SSO ProxyGW" page.