Versions Compared

Old Version 7

changes.mady.by.user Patricia Donohue

Saved on

compared with

New Version 8

changes.mady.by.user Patricia Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide provides step-by-step instructions for integrating with the CCC IdP SSO Proxy service and should be used in conjunction with the CCC IdP Proxy Integration Checklist to ensure all technical and operational requirements have been met. The process can also be visualized on the Proxy Integration Workflow diagram.

Overview

The CCC IDP SSO Proxy service was created to accomplish several things:

...

Once your college/district IdP is configured to release a "master bundle of attributes" to the CCC SSO Proxy, that IdP won't need to be changed to be used with a new service, because all the needed changes will be made within the proxy itself. The only exception would be if an entirely new attribute was needed for a service beyond the set documented below, in which case the college/district IdP would need to be updated to release that attribute to the Proxyproxy

 

Info

The CCC SSO Proxy is under the management of the CCC Technology Center. No attribute values will be stored, saved, or logged by the Proxyproxy, and only the needed attributes will be forwarded in the response to the service.

...

Integrating your college/district IdP with the Proxy proxy is essentially the same steps you would follow to integrate with CCCApply, only there is a wider set of attributes that are required and/or potentially useful (optional). Basically, the idea is that the set of attributes released to the Proxy proxy is the full set of any attributes that any federated service needs. The Proxy proxy will take care of filtering that set down to what is needed for any given service. And just like with CCCApply, there is both a Pilot and Production environment for the Proxyproxy.  You will integrate first with the Pilot environment, and then with Production.

Note: if you are running Shibboleth IdP v3 software with the standard configuration that Unicon has been putting into the IdPv3 installs, you only need to perform Steps C and F below in order to integrate with the Proxyproxy. Your IdP has already been configured to consume both the metadata for the Proxy – proxy – contained within the CCC central metadata file distribution (ccc-metdata.xml) – and the attribute release rules needed for the Proxyproxy, contained within the CCC central attribute filter file (attribute-filter.ccccentral.xml). Otherwise, you need to perform all of the following steps.

...

The new IdP v3 config that has been put in place includes consuming a CCC-wide, centrally managed "attribute release file" (a central attribute-filter.xml file) from a HTTPS URL (with checking that the certificate matches for security.) The IdP automatically checks for updates for that file and if changes have been found will reload the file.  That "CCC-wide central attribute-filter.xml file" already contains the following attribute release rules for the Proxyproxy. You can tell if your IdP has that file by checking for the file in the IdP's conf/ directory, the file 'conf/attribute-filter.ccccentral.xml'. Otherwise, add the following to the IdP's conf/attribute-filter.xml file, or however you corresponding configure attribute release in whatever SAML IdP software that you are using.

Code Block
<!-- 
     Release all required and optional attributes, for any service, 
     to the CCC IdP Proxy, so it in turn can release only the
     needed attributes to the services on the other side
     of the IdP Proxy. All attributes will not be sent to all services,
     just the needed ones for a given service. The attributes here should
     constitute a "union" of all possible attributes for any service.
-->
<AttributeFilterPolicy id="CCCWideReleaseForIdPProxy">
	<PolicyRequirementRule xsi:type="OR">
		<Rule xsi:type="Requester" value="https://sso.ci.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
		<Rule xsi:type="Requester" value="https://sso.test.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
		<Rule xsi:type="Requester" value="https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
		<Rule xsi:type="Requester" value="https://sso.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
	</PolicyRequirementRule>
	<AttributeRule attributeID="eduPersonPrincipalName">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="uid">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="email">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="givenName">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="surname">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="displayName">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="eduPersonAffiliation">
		<PermitValueRule xsi:type="OR">
			<Rule xsi:type="Value" value="faculty" ignoreCase="true"/>
			<Rule xsi:type="Value" value="student" ignoreCase="true"/>
			<Rule xsi:type="Value" value="staff" ignoreCase="true"/>
			<Rule xsi:type="Value" value="alum" ignoreCase="true"/>
			<Rule xsi:type="Value" value="member" ignoreCase="true"/>
			<Rule xsi:type="Value" value="affiliate" ignoreCase="true"/>
			<Rule xsi:type="Value" value="employee" ignoreCase="true"/>
			<Rule xsi:type="Value" value="library-walk-in" ignoreCase="true"/>
		</PermitValueRule>
	</AttributeRule>
	<AttributeRule attributeID="eduPersonPrimaryAffiliation">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>

	<!-- CCC specific attributes -->
	<AttributeRule attributeID="cccId">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="cccMisCode">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>

	<!-- Less likely attributes to be populated, but release if available -->
	<AttributeRule attributeID="mobileNumber">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="homePhone">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="telephoneNumber">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="postalAddress">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="street">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="locality">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="stateProvince">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
	<AttributeRule attributeID="postalCode">
		<PermitValueRule xsi:type="ANY"/>
	</AttributeRule>
</AttributeFilterPolicy>

C.

...

Schedule Kick-Off Meeting with Proxy Project Team 

At this point, before you can do some of the following steps, you need to contact the CCC SSO Proxy Service Team Project team to tell them that you are ready to add your college/district IdP to the IdP SSO Proxy. There are several steps the CCC IdP Proxy Service that the Team need to take to configure the IdP Proxy to be "ready" for the college/district IdP, and those need to happen before you download the metadata in the next step. Integration will start with the Pilot CCC IdP Proxy, and once that integration is successfully verified, then integration will move on to the Production CCC IdP Proxy.

...