Versions Compared

Old Version 51

changes.mady.by.user Patricia Donohue

Saved on

compared with

New Version Current

changes.mady.by.user Patricia Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Last Update: Last Update: June 19, 2021

...

Overview

The purpose of the California Community Colleges Single Sign-on Federation (OpenCCC SSO) is to provide secure, scalable, and integrated technology solutions for the California Community Colleges and its students that take advantage of economies of scale and facilitated by governance from the colleges themselves. The CCC SSO Federation offers a common framework for shared management of access to OpenCCC resources and secure web applications. . 

Through partnership with the InCommon Federation, college Identity Providers can give their users single sign-on convenience and privacy protection, while online Service Providers control access to their protected resources.

Contents:

Table of Contents
maxLevel1
absoluteUrltrue

Federated Identity Management

Federated Identity allows the sharing of information about users (students and college faculty/staff) from one secure domain to the other organizations in a federation. This allows for cross-domain single sign-on capability and removes the need for content providers to maintain user names and passwords. Identity providers (IdP) supply user information, while service providers (SP) consume the information and give access to secure content.

Single Sign On (SSO)

Single Sign On (SSO) is a session and user authentication process that permits an end-user to log in to a single portal and access multiple applications seamlessly using only one set of credentials (one username and password) without having to sign-in to each application separately. Single sign-on increases security, reduces multiple login prompts and provides end users with a convenient, usable method of accessing all of their accounts.

For example, when CCC students are configured for SSO, they can login to one application, such as MyPath, the Student Services Portal, and then access multiple different web applications, such as Canvas Course Management System (CMS), CCCAssess, and CCCApply, without having to login to each of the applications individually. 

The SSO process involves authentication and authorization. Authentication is a confirmation that the person logging in is the person they claim to be. Authorization is a confirmation that the logged-in person is authorized to access a particular "resource" (i.e. MyPath Portal, etc.). The Tech Center has implemented a SSO proxy process to facilitate streamline integration for current and future applications. 

...

For more information on the SSO Proxy integration requirements, including the SAML attribute configurations for the different IdP solutions, see the The SSO Gateway (aka Proxy) page and view links in the left sidebar. 

...

To participate in the CCC SSO Federation, colleges are required to implement a SAML2-compliant Identity Provider (IdP), become a member of the InCommon Federation; and integrate with the SSO Proxy service, in order to access the full benefits of system-wide single sign-on connectivity for students, staff and faculty across all secure CCC applications. In addition, all CCC-approved vendor applications, such as Canvas and Starfish, will also integrate with the Proxy in order to facilitate single sign-on to those applications, while passing the required attributes for access and reporting (i.e.,, CCCID, EPPN, etc).

...

Some key functions of the CCCID:

  • The CCCID is generated when a student sets up an OpenCCC account and commonly passed to the college in the CCCApply data downloadvia SuperGlue for Apply.

  • The CCCID is then stored in the college’s SIS or college LDAP/Active Directory

  • The CCCID is passed as an attribute from the college’s IdP to the systemwide applications SP (i.e. Canvas, CCCAssess, MyPath, etc.)

  • The CCCID is used by the systemwide application to identify the student.

The main linking mechanism between user accounts in the Identity Center and applications and services running in the cloud is the CCCID, a seven character ID composed of three alphabetic characters (A-Z, excluding O and I) and 4 numbers (0-9). This results in an account identifier with more than 130 million combinations that is easy for a person to remember if it was ever necessary. Example: SWD3986

...

Panel
panelIconIdatlassian-warning
panelIcon:warning:
bgColor#F4F5F7

In order to track students through their CCCID, the objective of the SSO Proxy is to ensure that every CCC student has a CCCID. Therefore, as part of the SSO Proxy integration, it is strongly recommended that colleges store the CCCID in their Active Directory or LDAP directory in order to pass this attribute with the EPPN with the student user session when authenticating to a CCC web application, such as CCCAssess, Canvas and MyPath.

...

...

...

Recommended IdP Solutions

To participate in the CCC SSO Federation, colleges must implement a SAML2-compliant Identity Provider (IdP) solution that meets the minimum requirements of the CCC SSO Initiative. 

...

Note

Colleges using an alternate solution should review the SSO Proxy Requirements to ensure your solution meets the requirements necessary to integrate with CCC system-wide applications. 

...

Shibboleth Identity Provider is the most widely used SAML2 compliant identity provider in higher education and is a supported SSO solution of the CCC SSO Federation. It allows sign in using just one identity (username and password), connecting users to applications both within and between federations of organizations and institutions.

The Shibboleth Internet2 middleware initiative created an architecture and open-source implementation for identity management and federated identity based authentication and authorization (or access control) infrastructure based on Security Assertion Markup Language (SAML).

Portal Guard IdP

...

Portal Guard IdP

Portal Guard Identity Provider Software is a single sign-on (SSO) login system, similar to Shibboleth, allows you to deploy a secure way to access the applications that your end users need in order to get the job done. By creating a single point of access that integrates with multiple applications, PortalGuard is able to eliminate the hassle and frustration of multiple password prompts. Beyond the ease of access, PortalGuard allows you to choose the level of security that you want at your login portal. Choose from requiring just the username and password, the added security of requiring a unique one-time password, and/or the implementation of knowledge-based questionsor the implementation of knowledge-based questions.

Shibboleth IdP

Shibboleth Identity Provider is the most widely used SAML2 compliant identity provider in higher education and is a supported SSO solution of the CCC SSO Federation. It allows sign in using just one identity (username and password), connecting users to applications both within and between federations of organizations and institutions.

The Shibboleth Internet2 middleware initiative created an architecture and open-source implementation for identity management and federated identity based authentication and authorization (or access control) infrastructure based on Security Assertion Markup Language (SAML).

Shibboleth V3 Upgrade

Version 3 of Shibboleth Identity Provider software was released in early 2016, replacing the popular V2 version, completing an end-of-life process on July 31, 2016. No further security updates or bug-fixes will be provided for Shibboleth Version 2.X.  Please see this page for more information:  End of Life for Shibboleth V2.

...

Panel
panelIconIdatlassian-info
panelIcon:info:
bgColor#F4F5F7

CCCTC Supports College Upgrades to Shibboleth V3

Colleges using Shibboleth now (to access CCCApply Administrator and/or Report Center) should verify which version they are using and if using version 2.X, should consider upgrading to the latest version. Shibboleth V2 is an unsupported version, and while upgrading to V3 is not required, it is strongly recommended. See below for more information on the benefits and requirements of upgrading the Shibboleth version 3 today!

Note

Assistance is available for colleges that need help upgrading to V3. For more information, please contact Patricia Donohue, Product Manager, pdonohue@ccctechcenter.org.an Implementation & Configuration Engineer at the CCCTC Enabling Services.

Upgrade to Shibboleth Version 3

...

Working with an approved vendor may affect your project timeline. Vendors are working with colleges on a first-come, first-served basis; however project pilot colleges may be prioritized depending on the project timeline. Find out more about working with an approved vendor to facilitate your Shibboleth Upgrade. Contact Patricia Donohue, Product Manager, pdonohue@ccctechcenterCCCTC Enabling Services at crms@ccctechcenter.org

Note

 Using Different Identity Provider Software?

If your college is not using Shibboleth Identity Provider software, there are other steps you may need to take to ensure your system is compatible with the statewide IdP. Colleges using PortalGuard and other IdP solutions will need to go through a readiness checklist process to ensure they meet the requirements for student authentication per the CCC SSO Initiative.

...

In-house technical support is available for colleges implementing Shibboleth as part of the their implementation of CCC SSO Initiative. Questions regarding other SAML-compliant IdP solutions as they relate to CCC SSO, the proxy, or vendor implementations will be fielded b  (IdP) solutions; however, wCCC SSO and the SSO Proxy. See the Support page for contact information and support links.

...

SSO Proxy

The The SSO Gateway (aka Proxy) is a centralized proxy service through which secure CCC web applications can centralize authentication requests for students and staff across all CCC colleges. The SSO Proxy helps colleges assert consistent SAML attributes to the various Service Providers within the CCC SSO Federation.  

...

Panel
panelIconIdatlassian-check_mark
panelIcon:check_mark:
bgColor#F4F5F7

To get started with the SSO Proxy, see "SSO Proxy Technical Integration Guide" and contact the CCC Proxy Project Team to schedule a kick-off meeting CCCTC Enabling Services for assistance

...

Use Cases

The main proxy use case is when a college is not able to send the CCCID attribute for students when they attempt to authenticate to a CCC web application. If the proxy discovers that the CCCID attribute is not present, it will first attempt to locate the CCCID associated with the IdPs unique identifier (EPPN) for the user.

...

For more information on SSO Proxy, please refer to CCC Single Sign-On Technical Implementation Guide

What is the InCommon Federation?

InCommon, operated by Internet2, provides a trust fabric for higher education, their vendors, and partners to facilitate single sign on from local campus accounts. InCommon also operates a related assurance program, and offers security certificate and multi-factor authentication services. 

...