Overview
As part To support the goals of the CCC SSO projectFederation, a centralized Proxy proxy service has been deployed through deployed through which secure CCC web applications can centralize authentication requests for students and staff across all CCC colleges . The Proxy then contacts contact the appropriate "read IDP, "real IdP" - such as the OpenCCC IDP system" IdP - to complete the requests. The goal of this design is to siimplify simplify and accelerate system-wide technology adoption and provide uniform experiences for key users.
The proxy serves two main functions; the first is to include the CCCID as an assertion when the college IdPs are unable to assert the CCCID from their user store. The second is to aid in the discovery process when navigating across service providers in separate domains.Technically speaking, the Proxy is designed the proxy is designed to help colleges assert consistent SAML attributes to the various Service Providers (SP) within the CCC SSO Federation.
| Table of Contents | ||||
|---|---|---|---|---|
|
Use Cases
The primary main proxy use case is when a college is to facilitate locating and sending the student's not able to send the CCCID SAML attribute when a college does not have that information for their student. If the Proxy for students. If the CCC Single Sign-On discovers that the student's CCCID SAML attribute is not present when attempting to authenticate to a particular CCC web application, it will attempt to find the CCCID associated with the IDPs IdPs unique identifier (EPPN) for the student.
If a CCCID is not found, the student will be redirected to the OpenCCC IDP to either recover or create a new OpenCCC account. Once the account is recovered or created, the CCCID will be cross - referenced to the student's EPPN so that the next time the a student attempts to login to enter the a CCC Federation web application from their college IDPIdP, the proxy will be find the students student's CCCID and add it to the SAML attributes presented to the intended CCC Federation service providers.
Before You Begin
Before you begin connecting your college to the Proxy, the CCC SSO Federation Readiness Checklist must be completed and submitted to the CCC Technology Center. Basic requirements must be met to ensure consistency within your college or district, as well as within and between the other colleges across the CCC.
Setting Up Test Environment
The IdP Proxy and supporting components are currently operating in four environments: Continuous Integrated (CI) supporting development activities, TEST (an internal environment for development testing), PILOT (for early production stage proof of operations), and PROD (the production environment used by students and staff). In order to implement technical integration and facilitate ongoing testing, colleges must stand up a testing environment to ensure their IDP solution is able to authenticate with the Proxy and CCC applications.
The college TEST environment will access the CCC's PILOT environment for the Proxy and various applications.
...
other federation service providers.
Functions of the CCC Single Sign-On
The CCC IdP Proxy service is designed to accomplish several things:
Provide a way to add a CCCID attribute to the SAML response to a service, even if the college is not able to provide one;
Provide a central management point where new services can be integrated without each college needing to make any changes to its local IdP in order to access the new service;
Instead of the SAML response from the college/district IdP going directly to the service (e.g. Canvas, Assess), it goes first to the IdP Proxy (which has it own "internal" SP). The IdP Proxy can add attribute(s) to it if needed (e.g. CCCID), filter the attributes received down to the specific attributes needed by the particular service, and send a SAML response back to the service.
This simple diagram illustrates what this looks like:
Before You Begin Integration with the CCC Single Sign-On
Before your college can connect to the CCC Single Sign-On, a set of minimum requirements for integration with the IdP Proxy must be met. Please review the documentation for Prerequisites for Integrating with the Single Sign-On prior to beginning the Single Sign-On integration process. The colleges should ensure that they have an SAML complaint SSO solution in place prior to the integration occurring.
Integrating with the Proxy
Once you are ready to begin, please engage with the CCC Single Sign-On team to schedule a Project Kick-off meeting. During the Proxy Project Kick-Off meeting, the following documents will be reviewed to ensure you have a good understanding of the Proxy and how to configure your IdP to integrate with it. Please be sure to discuss all existing and planned implementations with the project team to ensure all systems are connected to the Proxy during the integration process.
- Steps to Integrate with the CCC Single Sign-On
- Attributes for the Proxy: Shibboleth
- Attributes for the Proxy: Portal Guard
- Attributes for the SSO GW: Ellucian
- Overview of Attributes for CCC SSO Federated Access
Connecting Web Applications to the Proxy
| Table of Contents | ||||
|---|---|---|---|---|
|
Connecting to the Proxy From Any Secure CCC Application
When your college is ready to integrate with the Proxy, the following a series of set up tasks must be completed regardless of the which CCC application you are implementing:. Please read the documents linked below and schedule your Proxy Project Kick-Off meeting with the CCC Proxy Project Team.
Connecting to the Proxy from Canvas
Connecting to the Proxy from MyPath
If your college has imiplemented the Canvas Course Management System, or is planning to implement Canvas, after you complete the initial steps to integrate with the IdP Proxy, you will need to complete an additional set of tasks to integrate Canvas with the Proxy.
The CCC Proxy Project Team will review these steps with you when you meet for your Proxy integration kick-off meeting, Meanwhile, please review the following document and contact the Proxy Project Team if you have any questions.
Before You Begin: Read Integrating with Canvas
Connecting to the Proxy from
...
...
Hobsons/Starfish
If your college has imiplemented the Hobsons/Starfish Degree Audit System, or is planning to implement any of these education planning tools, after you complete the initial steps to integrate with the IdP Proxy, you will need to complete an additional set of tasks to integrate your Hobsons/Starfish system with the Proxy.
The CCC Proxy Project Team will review these steps with you when you meet for your Proxy integration kick-off meeting, Meanwhile, please review the following document and contact the Proxy Project Team if you have any questions.
Before You Begin: TBD