Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Clearly, this is a work in-progress. 

Overview

This document lists the minimum (marked with an *) and recommended policies, processes, and technical steps required to implement Identity Management and Single Sign On (SSO) for the CCC SSO Federation of CCC statewide technology applications. The enclosed checklists can be used to assess your institution’s readiness for implementation and the specific tasks required for technical implementation(s).


Most sections of the checklist have three parts: policy, business operations, and technical implementation steps. Each batch of steps is sequential.


Federated Identity Management & CCC Applications

Federated Identity allows the sharing of information about users from one secure domain to the other organizations in a federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain user names and passwords. Identity providers (IdP) supply user information, while service providers (SP) consume this information and give access to secure content.

At this time, all California Community Colleges already have an Identity Provider (IdP), such as Shibboleth or Portal Guard, in place to authenticate college staff to the CCCApply Administrator and the CCC Report Center.  However, to allow students to access the rich portfolio of student services web applications - existing or under-development  by the CCC Technology Center - colleges must either install a supported SSO solution that includes student attributes or upgrade their existing IdP to allow students to access the resources within the CCC's SSO Federation.

Projects included in the CCC SSO Federation include:

  • MyPath ®


  • Canvas

 

What is Single Sign On (SSO)?

Single Sign On (SSO) is a session and user authentication process that permits a user to enter one username and password - one time - in order to access multiple applications without having to login to each application separately. For example, when CCC students are configured for SSO, they can login to one application, such as MyPath, the Student Services Portal, and then access multiple different web applications such as Canvas Course Management System (CMS), CCCAssess, and CCCApply, without having to login separately to each of the applications. 

The SSO process involves authentication and authorization. Authentication is a confirmation that the person logging in is the person they claim to be. Authorization is a confirmation that the logged-in person is authorized to access a particular "resource" (i.e. MyPath Portal, etc.). The Tech Center has implemented a CCC IdP Proxy process to facilitate streamline integration for current and future applications. 


What is Shibboleth IdP?


Shibboleth is among the world's most widely deployed federated identity solutions, connecting users to applications both within and between organizations.


The Shibboleth Internet2 middleware initiative created an architecture and open-source implementation for identity management and federated identity based authentication and authorization (or access control) infrastructure based on Security Assertion Markup Language (SAML).


Shibboleth is a single sign-on (log-in) system for computer networks and the Internet. It allows users to sign in using just one identity (username and password) to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations.


Why should your college implement SSO?

Completion of this Scope of work will result in the ability for CCC’s to take full advantage of a suite of products and services offered by the CCCTC by allowing Students and staff to access Web-based information technology applications across colleges and within the CCC system via a single sign-on account.


What is Incommon?

InCommon, operated by Internet2, provides a secure and privacy-preserving trust fabric for research and higher education in the United States. InCommon's identity management federation serves 9 million end-users. InCommon also operates a related assurance program, and offers certificate and multifactor authentication services.


Supply CCC's with documentation necessary to complete the following:

CCCID configuration

SSO Configuration

College Adaptor Installation

IDP Proxy

Either through in house development efforts or a combination of in house development and contract work, using a mini-grant model of funding.

Supported Configurations

The CCCTC will support the following configurations:

Shibboleth v.3 with InCommon metadata

Portal Guard with InCommon metadata

*Other

CCCID

A CCCID is generated when a student sets up an OpenCCC account and commonly passed to the college in the CCCApply data download.

CCCID is then stored in the college’s SIS or college LDAP/Active Directory

CCCID is passed as an attribute from the college’s IdP to the systemwide applications SP (i.e. Canvas, CCCAssess, MyPath, etc.)

CCCID is used by the systemwide application to identify the student.

SSO Configuration

Correct configuration of Shibboleth / PortalGuard (as appropriate)


IdP Student and IdP Staff

Upgraded to 3.0

Connected to InCommon Metadata

Required - Ability to pass CCCID (Student IdP only)

Ability to pass common InCommon Eduperson Attributes (EPPN Required)


https://www.incommon.org/federation/attributesummary.html

Ability to pass other Eduperson Attributes as available (Optional, but highly encouraged)

http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html

-Upgrade of Shibboleth IdP or New Implementation of Shibboleth IdP on client provided hardware and operating system software or Implement items below using client provided installation of PortalGuard

-Configuration of authentication against up to two (2) authentication sources

-Configuration of user attributes, gathering from up to three (3) supported user attribute sources

-Configuration of Metadata using InCommon’s Metadata repository

-Shibboleth Log-In Form branding for new implementations

-Validate current Admin users can authenticate to the Report Center and Administrator using the upgraded IdP

-Enable authentication using the Shibboleth IdP to CCC central services including:

Instructure’s Canvas LMS (CCMS)

OpenCCC Apply Report Center and Administrator via the staff IdP

CCC Student Service Portal (SSP)

CCC Assess

College Adaptor (completed in conjunction with CCCTC)

Pre-Work Questionnaire (completed by college)

Colleague School Questionnaire

Banner School Questionnaire

PeopleSoft School Questionnaire

Configure Test Environment (completed by CCCTC)

Configure an Adaptor for a New School

College Adaptor Deployment

College Adaptor Test Script - Windows

Colleague

Banner

PeopleSoft

Errors

Testing (completed in conjunction with CCCTC)

Link to Experis Test Plan


Configure College Adaptor in Production Environment

- Once initial testing is complete and satisfactory; repeat configuration and testing in production environment.

IDP Proxy

- (Need Documentation from UNICON)

-  Configure SSO to trigger IDP Proxy when CCCID does not exist

List of Contractors

- Unicon

-  

Mini-Grant Funding

  


  • No labels