This document is being worked on as we speak.
Overview
The purpose of the California Community Colleges Single Sign-on Federation (CCC SSO) is to provide secure, scalable, and integrated technology solutions for the California Community Colleges that take advantage of economies of scale and facilitated by governance from the colleges themselves. The CCC SSO Federation offers a common framework for shared management of access to CCC resources and secure web applications. .
Through partnership with the InCommon Federation, college Identity Providers can give their users single sign-on convenience and privacy protection, while online Service Providers control access to their protected resources.
Table of Contents maxLevel 3 minLevel 2 absoluteUrl true
Federated Identity Management
Federated Identity allows the sharing of information about users from one secure domain to the other organizations in a federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain user names and passwords. Identity providers (IdP) supply user information, while service providers (SP) consume this information and give access to secure content.
What is Single Sign On (SSO)?
Single Sign On (SSO) is a session and user authentication process that permits a user to enter one username and password - one time - in order to access multiple applications without having to sign-in to each application separately. For example, when CCC students are configured for SSO, they can login to one application, such as MyPath, the Student Services Portal, and then access multiple different web applications, such as Canvas Course Management System (CMS), CCCAssess, and CCCApply, without having to login separately to each of the applications.
The SSO process involves authentication and authorization. Authentication is a confirmation that the person logging in is the person they claim to be. Authorization is a confirmation that the logged-in person is authorized to access a particular "resource" (i.e. MyPath Portal, etc.). The Tech Center has implemented a SSO proxy process to facilitate streamline integration for current and future applications.
How SSO Works
When a user logs in at the College/District Identity Provider, the Identity Provider will release basic information about the user that allow the service providers in the federation to know "who is logged in".
This identity information is sent as a SAML2 assertion. A SAML2 assertion uses asymmetric encryption where public and private encryption keys are shared between the identity providers and service providers in the CCC and inCommon Federation.
At a bare minimum, the SAML assertion most contain the following information (also known as attributes).
| Simple Name and the SAMLv2 name when sent in the SAMLv2 response | Short description | Sample value(s) | Description |
|---|---|---|---|
eduPersonPrincipalName (EPPN)
| The primary federated identifier of a given user from a college/district IdP. |
| EPPN has the syntax of an email address, but it should be considered a "globally unique federated identifier" rather than an email address. It is generally the most important attribute to be shared with federated services. This value is usually automatically generated by the identity provider. Most typically it made up using the userid the user logged in with combined with the @ sign then the domain name associated with the IDP. |
eduPersonAffiliation
| Role within the college/district |
| All of the roles a given person has within the college. |
eduPersonPrimaryAffiliation
| Primary role at the institution |
| Must be one of the values specified in eduPersonAffilliation. If the eduPersonAffiliation attribute has many values, the primary affiliation should reflect the role to be associated with services that differentiate based on this value (such as the CCC Portal). |
uid | Username | jsmith | This is usually the value that the user fills in as their username when they login. |
givenName | First Name | Jane | |
sn (surname) | Last Name | Smith | |
displayName | Full name to display | Jane Smith | |
mail (email)
| Email Address | jane.smith@college.edu | |
cccId | Unique id for a student within the CCC system | AXC9876 | The CCCID is a critical attribute for students. If the Identity provider cannot provide a CCCID, the SSO Proxy will lookup the users CCCID or prompt the user to recover or create the CCCID if it cannot be found. |
Why implement SSO?
Implementing an SSO solution is a requirement of the CCC SSO Federation and allows participating California Community Colleges to take full advantage of the products and services offered by the CCC Technology Center (CCCTC) by allowing students, faculty, and staff to access statewide web-based information technology applications via a single sign-on account.
The benefits of SSO include
CCC SSO Federation
The CCC SSO Federation is a shared federation of CCC colleges. College applicants, students, staff and faculty will be using the Student Portal, Report Center, Hobsons and Canvas as well as other CCC managed and external services.
...
Some key functions of the CCCID:
- The CCCID is generated when a student sets up an OpenCCC account and commonly passed to the college in the CCCApply data download.
- The CCCID is then stored in the college’s SIS or college LDAP/Active Directory
- The CCCID is passed as an attribute from the college’s IdP to the systemwide applications SP (i.e. Canvas, CCCAssess, MyPath, etc.)
- The CCCID is used by the systemwide application to identify the student.
Anchor Shibboleth-IdP Shibboleth-IdP
| Shibboleth-IdP | |
| Shibboleth-IdP |
Supported IdP Solutions
To participate in the CCC SSO Federation, colleges must implement a SAML2-compliant Identity Provider (IdP) solution that meets the minimum requirements of the Federation. The CCC Tech Center currently supports Shibboleth and Portal Guard IdP solutions for student, staff, and faculty SSO. Colleges using an alternate solution should review the SSO Proxy IdP Requirements to ensure your solution is meeting the requirements necessary to integrate with CCC system-wide applications.
What is Shibboleth IdP?
Shibboleth Identity Provider is the most widely used SAML2 compliant identity provider in higher education and is a supported SSO solution of the CCC SSO Federation. It allows sign in using just one identity (username and password), connecting users to applications both within and between federations of organizations and institutions.
...
The Shibboleth Internet2 middleware initiative created an architecture and open-source implementation for identity management and federated identity based authentication and authorization (or access control) infrastructure based on Security Assertion Markup Language (SAML).
What is Portal Guard IdP?
Portal Guard Identity Provider Software is a single sign-on (SSO) login system, similiar to Shibboleth, however...
What is the InCommon Federation?
InCommon, operated by Internet2, provides a trust fabric for higher education, their vendors, and partners to facilitate single sign on from local campus accounts. InCommon also operates a related assurance program, and offers security certificate and multi-factor authentication services.
...