| Info |
|---|
| This document is still in-progress. |
...
Overview
The purpose of the California Community Colleges Single Sign-on Federation (CCC SSO) is to provide secure, scalable, and integrated technology solutions for the California Community Colleges that take advantage of economies of scale and facilitated by governance from the colleges themselves. The CCC SSO Federation offers a common framework for shared management of access to CCC resources and secure web applications. .
Through partnership with the InCommon Federation, college Identity Providers can give their users single sign-on convenience and privacy protection, while online Service Providers control access to their protected resources.
Table of Contents maxLevel 3 minLevel 2 absoluteUrl true
Federated Identity Management
Federated Identity allows the sharing of information about users from one secure domain to the other organizations in a federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain user names and passwords. Identity providers (IdP) supply user information, while service providers (SP) consume this information and give access to secure content.
What is Single Sign On (SSO)?
Single Sign On (SSO) is a session and user authentication process that permits a user to enter one username and password - one time - in order to access multiple applications without having to sign-in to each application separately. For example, when CCC students are configured for SSO, they can login to one application, such as MyPath, the Student Services Portal, and then access multiple different web applications, such as Canvas Course Management System (CMS), CCCAssess, and CCCApply, without having to login separately to each of the applications.
The SSO process involves authentication and authorization. Authentication is a confirmation that the person logging in is the person they claim to be. Authorization is a confirmation that the logged-in person is authorized to access a particular "resource" (i.e. MyPath Portal, etc.). The Tech Center has implemented a SSO proxy process to facilitate streamline integration for current and future applications.
Why implement SSO?
Implementing a SSO solution is a requirement of the CCC SSO Federation and allows participating California Community Colleges to take full advantage of the products and services offered by the CCC Technology Center (CCCTC).
SSO allows students, faculty and staff to access these service using the login credentials they already use at the college or district.
How SSO Works
When a user logs in at the College/District Identity Provider, the Identity Provider will release basic information about the user to the service providers in the federation so they know "who is logging in".
...
| Simple Name and the SAMLv2 name when sent in the SAMLv2 response | Short description | Sample value(s) | Description |
|---|---|---|---|
eduPersonPrincipalName (EPPN)
| The primary federated identifier of a given user from a college/district IdP. |
| EPPN has the syntax of an email address, but it should be considered a "globally unique federated identifier" rather than an email address. It is generally the most important attribute to be shared with federated services. This value is usually automatically generated by the identity provider. Most typically it made up using the userid the user logged in with combined with the @ sign then the domain name associated with the IDP. |
eduPersonAffiliation | Role within the college/district |
| All of the roles a given person has within the college. |
eduPersonPrimaryAffiliation | Primary role at the institution |
| Must be one of the values specified in eduPersonAffilliation. If the eduPersonAffiliation attribute has many values, the primary affiliation should reflect the role to be associated with services that differentiate based on this value (such as the CCC Portal). |
uid | Username | jsmith | This is usually the value that the user fills in as their username when they login. |
givenName | First Name | Jane | |
sn (surname) | Last Name | Smith | |
displayName | Full name to display | Jane Smith | |
mail (email) | Email Address | jane.smith@college.edu | |
cccId | Unique id for a student within the CCC system | AXC9876 | The CCCID is a critical attribute for students. If the Identity provider cannot provide a CCCID, the SSO Proxy will lookup the users CCCID or prompt the user to recover or create the CCCID if it cannot be found. |
...
CCC SSO Federation
The CCC SSO Federation is a shared federation of CCC colleges. College applicants, students, staff and faculty will be using the Student Portal, Report Center, Hobsons and Canvas as well as other CCC managed and external services.
...
Because a student will usually initiate access to central services from their home college web site, and to avoid being presented with a IDP discovery page where the student has to choose from 110+ college/district identity providers, the college will place a specially formatted link on their website to the the targeted service provider. This link will be provided to the college by the CCC Tech Center.
The EduPersonPrincipalName (EPPN) is the unique identifier for a user for across all college IDPs.
...
CCC Federation Overview Diagram
What is the CCCID and why is it important to CCC SSO?
A CCCID is a unique student-identifier generated when an individual (student) creates an OpenCCC account, enabling secure, single sign-on access to admissions applications and other systemwide web-based services. The CCCID is commonly created during the CCCApply admissions application process known as CCCApply, however, any existing student can (and should) be encouraged to create an OpenCCC account and thus create their own CCCID, explained Lou Delzompo, Chief Technology Officer of the CCC Technology Center.
Some key functions of the CCCID:
- The CCCID is generated when a student sets up an OpenCCC account and commonly passed to the college in the CCCApply data download.
- The CCCID is then stored in the college’s SIS or college LDAP/Active Directory
- The CCCID is passed as an attribute from the college’s IdP to the systemwide applications SP (i.e. Canvas, CCCAssess, MyPath, etc.)The CCCID is used by the systemwide application to identify the studentIdP to the systemwide applications SP (i.e. Canvas, CCCAssess, MyPath, etc.)
- The CCCID is used by the systemwide application to identify the student.
Why should colleges store the CCCID in their LDAP/Active Directory?
The CCCID is used by the CCC Chancellor's Office and other systemwide organizations to track the educational choices and progress of each student across the course of their academic journey. Even if a significant amount of time lapses between enrollment for an individual student, their CCCID is Students that attend multiple colleges are tracked in one central location (OpenCCC Student Account System) and their CCCID can be used for reporting by researchers to better align support and services across the system.
Anchor Shibboleth-IdP Shibboleth-IdP
| Shibboleth-IdP | |
| Shibboleth-IdP |
Supported IdP Solutions
To participate in the CCC SSO Federation, colleges must implement a SAML2-compliant Identity Provider (IdP) solution that meets the minimum requirements of the Federation. The CCC Tech Center currently supports Shibboleth and Portal Guard IdP solutions for student, staff, and faculty SSO. Colleges using an alternate solution should review the SSO Proxy IdP Requirements to ensure your solution is meeting the requirements necessary to integrate with CCC system-wide applications.
What is Shibboleth IdP?
Shibboleth Identity Provider is the most widely used SAML2 compliant identity provider in higher education and is a supported SSO solution of the CCC SSO Federation. It allows sign in using just one identity (username and password), connecting users to applications both within and between federations of organizations and institutions.
...
The Shibboleth Internet2 middleware initiative created an architecture and open-source implementation for identity management and federated identity based authentication and authorization (or access control) infrastructure based on Security Assertion Markup Language (SAML).
What is Portal Guard IdP?
Portal Guard Identity Provider Software is a single sign-on (SSO) login system, similiar to Shibboleth, however...
What is the InCommon Federation?
InCommon, operated by Internet2, provides a trust fabric for higher education, their vendors, and partners to facilitate single sign on from local campus accounts. InCommon also operates a related assurance program, and offers security certificate and multi-factor authentication services.
...
The EPPN has the syntax of an email address, but it should be considered a "globally unique federated identifier" rather than an email address. It is generally the most important attribute to be shared with federated services. Note that the value of EPPN does not have to match what the user fills in as their username when they login, and the user does not need to know what their EPPN is, as it is shared between the IdP and the service. It should be unique, rarely change, and not be reassigned to another
Coming soon...
College Adaptor Installation
...