Proxy Issues & Proposed Solutions

Several colleges who have implemented Canvas have raised concerns about the requirement to implement the proxy workflow and haven't chosen not to do so to avoid the challenges and frustration to their students, faculty, staff and IT.

To support the colleges that are not ready for Fall 2018: 

• Consider removing the requirement for Fall 2018 and allow the Tech Center and Enabling Services to (per Tim, this is not approved.)
  1) develop a business operations implementation checklist for colleges implementing Canvas (we need to include any other specific tasks related to other Apps & services as well including the new CCC Admin (CAP)
  2) Work with Sandoval's team to draft a consistent message and FAQ on the Proxy and CCCID
  3) Draft email comm to colleges with implementation plan and point to FAQ
  4) Plan & complete implementation with the colleges,
  5) improve the Proxy sign-in UI and workflow, and
  6) Long-term: Propose/develop an auto-fill Account process for existing students (Patty has started this plan, will paste link to details here._
  
  

Colleges need more information and options from the Tech Center on how to implement the proxy for Canvas. 

See below in this doc for:

• implementation plan suggestions
• Communication plan suggestions
• UI UX suggestions
• Project plan suggestions
• Deployment issues

Faculty and staff have complained that they are getting redirected to the proxy as well as students and it's catching them off guard. The college had not informed/trained staff and faculty, or the information wasn't understood by the college during IT integration.

Some colleges don't want to implement the proxy workflow this fall until better implementation support and training is provided by the Tech Center.

These are the colleges that we heard from:

• Antelope Valley College (Rick
• Butte College (Dave Stephens, Matt)
• Santa Rosa (Mitch Leahy, Don Webb)
• ES team working on full spreadsheet of all the colleges names

Overall, colleges do not understand the purpose of the SSO proxy: how it works, why it's important, and how it is related to OpenCCC (or CCCApply or the CCCID). 

Admissions & Records and IT seem to have an understanding of the systemwide CCCID, but in general, college faculty, staff, counselors, and even college/district leadership hasn't been exposed to the significance of the CCCID and how it's used to track student records across the CCC system over the lifetime of the student's educational journey. 

The Tech Center needs to develop a clear, consistent message about the significance of OpenCCC, the CCCID for all students, and the SSO Proxy --- providing information on the purpose, the requirements, the long-term goals and objectives of the systemwide ID for all students - AND outline the operations implementation plan & options; then communication to students and staff.

Outline process for communication to students about the OpenCCC Account and CCCID

Emphasize/differentiate how it's different from their college student ID and used for systemwide single sign-on and tracking across colleges and applications

Colleges that adopted OpenCCCApply years ago never stored the CCCID in their SIS, thus the processes are not in place to implement the full workflow process 

Create diagrams and implementation materials to show the full workflow, from incoming OpenCCC Accounts being downloaded via CCCApply, uploaded to SIS, imported to Active or common directory, passed via IdP attributes, stored in the proxy, and new accounts created via proxy returned to the college via available API.

(Andy - could we get approval to do a video tutorial on the Proxy?  Maybe we need two short ones?)

Based on feedback from colleges, students perceive the proxy to be illegitimate ("Is this for real?"). It appears to be a phishing attempt or scam, and doesn't feel congruent to their expectation that they were on their way to Canvas from their college portal..

Implement short-term improvements to the Proxy Sign-In page with better messaging, college branding, application branding, support for students with a video tutorial and a link to support. See UI Page enhancements below. 

Colleges perceive the proxy as a barrier for their students

Provide colleges with information on importance of the CCCID and the SSO proxy;

Provide colleges with information and options to prevent the proxy from re-directing students, including ensuring IdP and common directory is passing the information required by the proxy.

Ensure every college has the URL to pre-seed student CCCID accounts in the proxy that the Proxy team has created. This process will give colleges another option to have students do this task outside of the Canvas workflow.

Faculty and staff perceive the proxy as a barrier for them - they are frustrated 

Provide the colleges with information on the importance of passing the correct attributes. 

In June, the Proxy team whitelisted Canvas, Starfish, and CAP to prevent faculty, staff from being re-directed to the proxy. This was done as a hotfix (1.9.1) - which will only re-direct users that have an EduPersonProfileAffiliation that includes STUDENT only.  If passing any other profile, the proxy will not re-direct.

Colleges need better training and support on the proxy web service and overall workflow. 

Right now we don't have "implementation" materials for colleges to help them communicate the proxy process internally or for students, and they don't have enough information on the full proxy workflow.

Improve the public documentation space for colleges with FAQs, video tutorials, support & training materials, and link to pre-seed student Accounts

There is a comprehensive proxy integration process for IT and most of the colleges have completed that work; however there has not been a clearly prescribed implementation plan or support materials developed to help colleges educate administrators and staff, nor materials for students (clear instructions, help). 

Ensure that all CCC colleges (faculty, staff, Administrators, and students) understand the technical and business operations implementation requirements;

1. Tech Center needs to develop and document step-by-step implementation processes for colleges 
2. Develop workflow diagrams to help visualize the flow of data between the OpenCCC Account system at time of application to how they get the Proxy-account CCCIDs back to their systems

Colleges that have integrated the proxy but aren't passing the CCCID because they haven't been storing the CCCID for their students since they implemented OpenCCCApply. 

Create a Business Operational Implementation Checklist

Communicate to faculty

Primary reason 

Downloaded into the DW and linked to all our the purposes of learning analytics for predictive modeling.

Communicate process and train faculty, staff, admin about the CCCID and the redirect workflow

IT needs to start downloading the CCCID, storing in their SIS, importing to Active Directory

Start passing the CCCID attribute in IdP metadata

Colleges can run a report in the Report Center collecting student information, CCCID and try to match up with college IDs;

Or colleges can prepare students for the proxy re-direct by communicating the process - legitimize the OpenCCC Account system and ensure they know it's legitimate;

Students that have created an OpenCCC account with CCCApply, can "recover" their account and enter in OpenCCC credentials on Proxy sign-in page. They only 

President of the faculty senate - to ensure they know what's going on. 

Work with Sandoval's team to create a comm plan

Email colleges and link back to more information on implementation, training & support

Provide colleges with information about the Proxy and how it relates to and differs from the OpenCCC Account IdP.

Provide breakdown of implementation options and link to detailed checklists on Public Documentation/Implementation site:

• Implementation process for colleges that haven't been storing the CCCID for students (in other words, the college is not sending over the CCCID for any students, even if the student has an OpenCCC account);
  
  
• Implementation process for colleges that haven't informed staff, faculty or students on the purpose of the proxy, what students need to do, etc.  
  
  
• Implementation process for colleges that have a large number of non-credit or special populations that don't have CCCIDs

• The CCCID is now an MIS reporting requirement starting summer 2018
  
  
• All students must have a CCCID and the colleges need to store this data field in their SIS and common student directory so it can be passed in the college/district IdP for consumption by all systemwide applications and services;
  
  
• The CCCID facilitates single sign-on for students across CCC systemwide apps and services, but does not ensure SSO between CCC apps and college apps*

Emphasize / outline the proxy re-direct process - students have three options: 

When they get re-directed to the proxy sign-in page, they can:

1. Sign-in with their "OpenCCC" username and password credentials
2. Recover their account credentials by clicking "Forgot Username" or "Forgot Password" - then sign-in once the credentials are recovered
3. Create an account (emphasize this should only be done if they've never created an OpenCCC account before.
4. They only have to do this once - the proxy will store / remember their CCCID  
5. Colleges can obtain the CCCIDs created through the Proxy

Legitimize (redesign) proxy sign-in page

Improve the proxy sign-in page with several design changes to legitimize the service for students and colleges.

1. Update the CCCCO | OpenCCC brand/logo (span across the top of sign-in box)
   
   
2. Revise the onscreen text language to:
   "You're on your way to <Application> from <College Name, preferably, or District Name>.
   To continue, please sign in or create a new account with OpenCCC, the California Community Colleges system-wide student account.
   
   
3. Revise/enhance the error validation message in the red message box to:
   "We could not find that username/password. Please ensure you are entering your systemwide OpenCCC account system credentials. Try again."  OR (Patty to work on two additional proposed messages).
   
   
4. Enter greyed out input field prompt text in Username field = "Enter OpenCCC Username"
5. Enter greyed out input field prompt text for Password field = "Enter OpenCCC Password"
   
   
6. Update the CCCCO text-based logo in the lower left of the Sign-In page with new approved colors, font, and put all four CCCCO words on the same line, to:
   
   A Service of the
   California Community Colleges Chancellor's Office
   
   
7. Update the "Sign In" box color to new approved font & color.
8. Update hyperlinks to new approved font & color(s).
   
   

As a compromise to making a bunch of onscreen text enhancements to differentiate between OpenCCC UN/PW creds vs. college account credentials - use the error validation message to guide students to enter their OpenCCC username and password.  (This is an alternate solution to modifying the prompt text "Username" and "Password".  

1. If the user enters incorrect UN and/or PW in the input fields, display error message that is more helpful to the user instead of "try again" or "your UN and PW do not align" etc. (see exmaples)
2. Enter greyed out prompt text in the UN and PW input fields: 
   1. "Enter OpenCCC Username"
   2. "Enter OpenCCC Password"

Objective: We are trying to help the student differentiate between their college IdP user account credentials and their OpenCCC account credentials.  

Implement College & App Branding on Sign-In page

The sign-in page lacks legitimate, recognizable branding to the user so they feel comfortable that the re-direct is official and approved by the college, the CCCCO, and the application they are trying to access. 

Implement approved changes to UI per Change Request #2018-33

Chris Franz (Deactivated)(Patty to get updated mock-up from Franz which has the college branding next to the new CCCCO logo at the top). Other UI changes are being groomed - OpenApply Jira project)

Chris Franz (Deactivated) - Also I need the data stats on number of students who passed through the Proxy, number of accounts created in that group, and how many went through account recovery.  

Improve the message on the proxy re-direct, sign-in page, and all other onscreen text

The sign-in page messaging is confusing for the user; it's not clear what login credentials we are asking for. The student has just signed in to their college IdP and then immediately we are redirecting them to a second, different sign in page. The messaging lacks enough information to explain why the student is seeing the proxy sign-in page.

Implement NEW changes (to be approved) per discussions with Butte College and Proxy team. 

Add "OpenCCC" to Username & Password field labels.

Additional requested improvements to UI/UX

NOTE: This list was provided by Matt to ensure we have the same list (8.24.18)

• college co-branding on OpenCCC page
• update OpenCCC page language 
• explaination video of redirect & CCCID requirement
• use college subdomain with Tech Center URL mapper
• use SAML attributes to prepolulate account information
• batch process new OpenCCC accounts
• user SuperGlue to popluate required user information & simplify account creation form
• bypass proxy for account creation and send lists of users missing CCCID.

The sign-in page needs a Help link or better, an embedded video tutorial that can guide the student through the process (either sign-in with OpenCCC credentials, or recover account credentials and sign-in, or create an account if you don't have one.

TBD

This requirement is deferred for initial change implementation.

• college co-branding on OpenCCC page
• update OpenCCC page language 
• explaination video of redirect & CCCID requirement
• use college subdomain with Tech Center URL mapper
• use SAML attributes to prepolulate account information
• batch process new OpenCCC accounts
• user SuperGlue to popluate required user information & simplify account creation form
• bypass proxy for account creation and send lists of users missing CCCID.

To streamline the proxy workflow, colleges want a "short-form" OpenCCC Account creation process for the students who are already students at a college.   

Proposed Proxy Account: Instead of having the student complete the full OpenCCC account when they are redirected during proxy workflow, develop and implement a new "short form" OpenCCC Account which only requires minimum fields for account creation. 

1. Proxy account could be very streamlined - collecting only:
   1. Username (personal email address)
   2. Password 
   3. Birthdate
2. Proxy account could use auto-fill from attributes passed by the college's metadata 
   1. EPPN 
   2. First + Last Name
   3. Street address
   4. City & Postal Code

CCCID is created and stored in proxy, and passed back to college via EPPN API. 

NOTES:  Since the user is already a student at a college and hitting the proxy from the college or district's IdP, display new Account form asking for Username & Password, Personal Email, and Birthdate.  The rest of the information would be passed from IdP attributes (first + last name, street address, city, postal code, phone).

Colleges are frustrated that students are re-directed to the proxy while they to complete assignments for a course or program. Colleges want an optional workflow process that doesn't interrupt their students on their way to an important are trying to access a systemwide application 

1. Proposed workflow change: Instead of triggering the proxy re-direct, send email to the college for each user who doesn't pass a CCCID (store EPPN and pass back to college in weekly report?) or send email and have college run a report in the Report Center.
   
   
2. Proposed workflow change option:  Implement feature that would allow the student to skip signing in or creating an account up to X number of times and alert the college. On the ? time, don't allow the user to skip signing in or creating an account.

Colleges are frustrated that we don't offer an easy way for bulk assignment of CCCID numbers to non-credit or special needs students (Adult Ed, Inmates, special K12 programs, and non-credit students). 

Colleges want to provide the Tech Center with a spreadsheet of account data and get back bulk-assigned CCCID assignment process

TBD - proposed solutions have previously been declined however the requests from colleges have escalated.  

Patty to discuss with Tim and Jennifer 8.24.18

Many colleges don't know how to get the CCCIDs created during proxy re-direct back into their SIS or common directory systems.  Better, comprehensive Information needs to be provided to colleges about the EPPN>CCCID API process. 

Implement enhancements to the EPPN > CCCID API to pass colleges all Account data 

Ensure all colleges have information about the EPPN > CCCID API and the Report Center EPPN Matching report.

Overall, the OpenCCC Account Creation process, especially when asked during proxy re-direct, is perceived as redundant, unnecessary, long and intrusive; especially when the user has already provided most of the information to the college already when they applied, enrolled, registered, etc.

Students are put off by the questions, especially SSN, Birthdate, address, phone, email, etc.

It is very unclear whether the SSO proxy is a product or a required technology component or simply a system technical requirement - both internally and externally from the field. 

Currently the SSO proxy does not have a project charter, project plan, business requirements, or roadmap; thus making it extremely difficult for continuous improvement and supporting our colleges.

The SSO Proxy lacks a dedicated development team and roadmap