Request No. | 2018-33 |
---|---|
Date of Request | June 28, 2018 / August 2, 2018 |
Requester | Dave Stephens, Butte College |
Application(s) | SSO Proxy |
Section / Page | |
Proposed Change to Download File | N/A |
Proposed Change to Residency Logic | N/A |
Problem / Issue
Butte College has concerns about the current SSO proxy workflow, especially with respect fo students on their way to Canvas. They called a couple meetings with the Tech Center to report their issues and request a series of changes to help improve the proxy workflow process and ensure SSO is in place across the board. Their goals are both long-term and immediate. Ultimately, requesting UI enhancements to the SSO Proxy sign-in page to better clarify to students where they are and why they are being re-directed there. Their immediate need is to get their students through the proxy to Canvas. They have a marketing campaign underway and a checklist of tasks to prepare students before classes start in the fall.
Meeting 6/19: First meeting with Butte and ES team
Meeting 6/28: List of issues were discussed and they asked for certain things to be considered, and if possible, completed by August 1, 2018.
Meeting 8/2: Follow up meeting to review progress on change requests.
Students are getting confused by the Proxy Sign-In page - the feedback is that it's a disconnect when they get redirected to the proxy. The URL domain changes from a Butte College domain to something unknown (openccc.net). Students complained to their help desk with comments, "Is this legitimate?". They don't see anything familiar on the page: they don't see Butte College (which they have already signed in to), they don't see Canvas logo or URL (which they were supposed to be on their way to); they don't see any messaging or help text that gives them confidence that they are on a credible site and what we are asking is a credible source
Change Request Specifics
# | Issue/Request | Solution | Responsible | Deadline / Status |
---|---|---|---|---|
1 | Whitelist faculty and staff from being redirected to OpenCCC (from Proxy) when signing in to Canvas | Whitelist Butte College for faculty/staff/members going to Canvas and CAP, Report Center Butte College and others have been whitelisted from the proxy for any students 8/2 Note: Butte College will do another round of tests - to ensure the whitelisting is in place as expected. | Franz / Matt | COMPLETE Zendesk #12988 In July, Canvas was whitelisted (does not redirect) for any EduPrimary Affiliation that was not strictly (only) STUDENT. |
3 | Improve the language/messaging on the proxy Sign-In page that affirms that the OpenCCC and CCC ID mechanisms are legitimate.
Note: When a user goes to access an App like Canvas - then hit the Proxy - Proxy LOGIN - (CCCCO logo has little value to students) - the page presented needs to confirm and legitimize the re-direct. “You’re here because….” Drop icons onto the OpenCCC Login page - (some kind of branding) | Enhancements to the proxy sign-in page have been approved:
| ||
Improve the proxy workflow with better branding
Notes: | Make the following changes to the proxy workflow:
| |||
Fix all proxy bugs and issues in Pilot and Production | Hotfix 1.9.1 - Rolled to Pilot Hotfix 1.9.2 - Pilot release 8.16.18 / Production 8.23.18 | |||
Fix and deploy EPPN > CCCID API and other processes of getting colleges the CCCIDs created during proxy re-redirect Implement a better way to implement the PROXY | PROXY improvement discussion with Josh on 6/21/18
EPPN issues EPPN Look-up service is being fixed in MyPath release (check with Charles H.) note: This is in the Central Services (with Messages services, rules engine? Services that can be used by multiple projects) A temp work-around fix was put into place by Infiniti so that State Center can pull down their mappings | |||
Replace the OpenCCC.net domain with .edu or .org (for legitimacy: .com and .net are all easy to obtain and commonly used in spoofing efforts
| Patty discussed obtaining a .edu domain with Tim on 8/1. This is not possible; only accredited institutions can obtain a .edu. Any non-accredited institution that has one now was grandfathered in by EduCause. Sub-domains using the URL-redirect can be implemented if needed | Patty / Franz | DECLINED .edu can't be obtained PENDING sub-domain use | |
Gather data on Proxy usage
| ||||
Create and publish Proxy FAQs Butte would link to this page for students |
Notes from 8.02.18 meeting:
Reiterated that the college co-branding is needed. College logo branded header is the best decision.
Reiterated the amount of concerns from students saying "Is this legit?"
Reiterated need for a short embedded video (why am I here?)
- add the college co-branded logo to this page (coming from MIS code)
- Add language that this is a ONE time process, your data is safe
- SSN (comment that they understand the importance of the SSN, but which we could do something about that
- Add a canvas or other app logo next to the banner/header of the page
- Add some clarifying language to the sign in fields to identify OpenCCC sign-in creds
Faculty HAVE BEEN filtered out from the proxy flow - they won't see it unless they are ONLY students
IF faculty are also students, they could be informed that they really should be going through the proxy but are currently filtered only.
Butte needs to set up a flyer for 10K incoming students (about this process to convey legitimacy of THIS proxy / Canvas process)
Concerns from Butte: Ensure SSO is in place across the board.
Regarding the pre-seeding CCCID process that Butte is sending out to the students, make sure they have the correct URL (we confirmed this during our meeting)
Butte's message to students will go out by 8/15. (Patty, Get copy of the message they are sending out.)
Matt Norris added that ES is working on a questionnaire which will include their custom URL (vanity url) (ask the OEI CSM has a list of vanity URLs)
Proposed Solution
Butte College and others have been whitelisted from the proxy for any students
Do another round of tests - to ensure the whitelisting is in place as expected.
Currently, the following logic is in place:
- Only students should ever see the proxy for the purpose of ensuring their CCCID is passed (seamlessly) to the endpoint/application
- If a faculty/staff/member at a college is also a student - they are currently being filtered from the proxy BUT this is a temporary change until this process is finalized/approved and all colleges are informed.
Need a date that this or some version of this ^^ can be implemented for proxy flow
Need to work on the language for the sign-in page
Need to come up with two part solution for Butte:
- FAQ for proxy account creation process
- need changes made by X date for their comm campaign
- message with correct URL to the proxy account creation page
Butte will work with Matt Norris (via Dan Neal - who is heading out on paternity leave BTW) to retest the proxy whitelisting. Need to schedule testing of what the proxy is whitelisting
Suggestions
The Tech Center needs to be a better job of product marketing, placement, overall management of the proxy.
Colleges need to understand that Faculty & Staff might need to be redirected to OpenCCC if they are truly students in some capacity. For now we can whitelist but ultimately, the proxy is doing what it's supposed to do - which is any "student" needs to have an account (CCCID) and that needs to be passed through to the endpoint (application).
Notes
From 8.02.18 meeting: 9+ colleges provided feedback to Dave Stephens on the use of the proxy - concerns about abandonment when they get to the proxy. Most of the concerns and comments were made by staff and FACULTY, who have a strong voice in this process.
Per Matt S. - you can't really test
Query their EduPerson Affiliation in AD to ensure they are passing the correct affiliation. (typically testing isn't done correctly)
Every use case:
- Student only
Faculty only
Staff only
Member only
Faculty/staff only
Faculty/staff/member only
Run a query and bring back all the different EduPerson Affiliations
Flag any that are multi-valued (staff + student) Matt S. could help by providing a Power-shell script
Effort to get this implemented in the upcoming a few files were changes (css file change, jss file,
Making this a dynamic template would require a tiny bit more effort
But would require a proxy change as well - because the proxy needs to determine where they are going to, add param over to call this page.
This would require a Proxy hotfix and an OpenCCC Account hotfix
Both are low risk, low effort (Talk to Josh about the college co-branding effort - either adding a banner to the page or adding a Canvas, etc. logo to the page.)
Redesign the setup of the page? This would be to highlight that most of the students who encounter the page are
If the proxy side is setup to send that information - the Apply dev team could update that page in less than a day.
Franz could
(Move this out of this doc)
EPPN/CCCID API
problem with capacity (we weren't able to accommodate the counts (too many downloading)
EPPN Download Service
- Proxy account creation or recoveries from redirect to proxy - folks that have hit the the proxy and have to create or recovery. We grab their new account/CCCID and add to Dynamo table. -
- Proxy pass throughsSome colleges are passing along and we catch it when they pass. These are all stuck into the Dynamo DB table.
(prod-eppn-map) -
Run something at the college (NOT the download process for applications) Franz to apply confluence page
(short term work-around, Jay Owen, increased Dyamo db params to allow State Center to download EPPNs - with approval from Lou.
Charles H. fix was more permanent - IF multiple colleges wanted to download EPPN mapping at the same time, even with the increased params there's a chance it could flood the Dynamo again. Increased error handling in the download service code.
Supporting Documentation
1) Update on status of the following OpenCCC enhancement requests (Donohue)
a. Removal and replacement of the .net domain (as .com and .net are all easy to obtain and commonly used in spoofing efforts).
b. Clearer language and/or imagery that affirms that the OpenCCC and CCC ID mechanisms are actually legitimate. (i.e. "We know you might not be expecting this, but...", etc.). This can easily be accomplished by embedding a short (20-30 second) screencast video. c. Consideration of custom subdomains per CCC point of origination in conjunction with (or w/o) #1 above (i.e. "butte.openccc.edu/idp/profile/SAML2/Redirect/SSO?execution=e4s1")