WORK IN-PROGRESS
The OpenCCC Account System
OpenCCC is the federated identity initiative and systemwide student account system for the California Community Colleges system. Developed by the CCC Technology Center in 2011, the OpenCCC system has generated over 25 million unique student accounts (as of June 2023) supporting single sign-on access to systemwide online technology applications.
OpenCCC Account & The CCCID
When a new OpenCCC account is created, the system generates a unique student identifier for the user called the CCCID (California Community Colleges ID) and stores the user's validated credentials and minimum personal information data in a secure identity management system, enabling single sign-on access to admissions applications and other systemwide web-based services.
CCCID & Student Data Delivered to Colleges
The CCCID is the master link between the identity management system, community colleges, and all systemwide technology services. When a user is authenticated to use an application or service such as CCCApply or MyPath, the CCCID is passed to that service to identify the unique individual. In this way, services and applications can maintain personal accounts for the user anonymously, thus ensuring the privacy and security of the user’s data.
See Information Required to Create an OpenCCC Account
Key Functionality:
A CCCID is generated when a student user creates an OpenCCC account.
Each CCCID is unique to the individual student.
The CCCID is used to identify the student during sign on by systemwide technology applications.
The CCCID is stored in a secure, systemwide identity management system and delivered to the college via SuperGlue for Apply or via Data Warehouse Direct Connect service.
The CCCID can be used for student identification and deduplication by the college.
How do colleges get the CCCID?
Most students create their OpenCCC Account - which generates their unique CCCID - during the application for admission process to their selected California Community College, either via CCCApply or the CVC/OEI program. The CCCID is passed to the college with the student’s account data when the application is submitted. Application and student account data is delivered to the college via SuperGlue for Apply
Other ways for colleges to get student CCCIDs:
SuperGlue for Apply: Account data is delivered to the college as part of the student’s submitted application data via SuperGlue for Apply and the College Adaptor.
Data Warehouse Report Server: The college can also gather student account data including the CCCID from applications that have been started by a student but not yet submitted (in-progress application) from the CCC Data Warehouse Report Server.
CCCApply Report Center: Account data (including the CCCID) can be accessed in the CCCApply Report Center for submitted applications.
SSO Proxy
The OpenCCC Account data fields, which are created as part of the initial CCCApply application, are passed to the college with the CCCApply application data in their automated download file. Below is a diagram that illlustrates the process that colleges are using now to download the OpenCCC data - including the student's system-generaged CCCID - along with the student's application data.
What information do students need to create their OpenCCC account?
To create an account students need a unique email address or mobile phone number, whichever they prefer, to receive a time-sensitive verification code to validate their identity. Once validated, only a few other details are required to complete the account creation process, including:
Name & Address
Birthdate
Secure password
These are the only data required to create a new OpenCCC account. Additional information may be needed to submit an application for admission or a financial aid application.
Where do users go to create their account?
Students must have an OpenCCC account before they can apply to a California Community College using CCCApply, therefore most students create their account the first time they apply for admission. All current and prospective students, including high school and lower grade students exploring careers with Career Coach, or submitting a financial aid application, will encounter the Create an Account link on the OpenCCC Sign In page as they begin their CCCApply application for college.
How long does it take to create an account?
The simple, mobile-friendly account creation process redesign focuses on the student experience first. Using a clean interface style and clear instructions, users can create & validate a new account, and complete their Profile, in under 7 minutes.
The new account creation process has been greatly streamlined; nevertheless, time-to-creation will vary depending on the user.
How long does it take to get through the OpenCCC Account creation process and what is required?
The full OpenCCC Account is a very quick and easy process to complete. There are three pages total and typically takes less than 5 minutes to complete. Below are the required questions and data fields collected in the OpenCCC Account:
Legal Name (Last, First, Middle)
Birthdate
Email
Permanent Address
Main Phone Number
Username
Password
PIN Number
Security Question Responses 1-3
What is the full set of data fields passed to the college via the CCCApply download process?
In addition to the fields listed above, the following optional questions/fields are also asked in the OpenCCC Account creation process:
Previous Name (Last, First, Middle)
Preferred Name (Last, First, Middle)
Social Security Number/Taxpayer Identification Number
Authorization for Text Messages for Main Phone
Second Telephone
Authorization for Text Messages for Second Phone
What is the set of data that is used to uniquely identify a student in the process?
There are several combinations of data fields that are used to match a duplicate OpenCCC Account, including:
Email Address
Birthdate
SSN/TIN
Legal First & Last Names
Main Phone Number
What is the Account Matching process in OpenCCC?
The Account Matching function does not have a user interface. It is called by other functions to compare user data with existing accounts. It will accept whatever set of user data the calling function provides, and will attempt to identify a unique account based on that data. (For example, Account Recovery might provide only the required fields, Legal Name and Date of Birth.)
Once the Accounts database has been searched for matches, Account Matching will:
identify a single matching account to the calling function, provide flags to indicate match type (such as whether the match is definitive or not) as appropriate; or
tell the calling function that there was no matching account; or
tell the calling function that there were two or more matching accounts.
It is not the job of Account Matching to determine that a unique account found by Account Matching is a true match—in other words, that it does indeed belong to a particular online user. That task is performed by Account Verification, which will employ security questions to verify that the online user is the actual owner of the account. (Account Verification will never ensure a true match with absolute certainty, but a verified match must provide sufficient assurance to meet current and evolving security standards.)
How does Account Verification process work?
It is the job of Account Verification to verify with an acceptable level of certainty that a unique existing account identified during Account Recovery or Account Creation does indeed belong to the online user. It does this by randomly selecting two of the account’s three Security Questions, and requiring the user to answer those questions.
If the user answers the Security Questions correctly, Account Verification will display the account’s Username and provide fields for resetting the account’s Password.
Once the password has been reset, the user will be admitted to the account, just as if he had logged on. (For example, if Account Recovery or Account Creation has been entered as part of the flow from a college website to the OpenCCCApply online application, the user will be taken from the password reset screen to the Introduction page of the college’s online application.)
Are there a significant number of duplicate CCCID accounts found?
No. The number of duplicates CCCID account across the entire system is approximately .2% and decreasing. Though some colleges have raised concerns about the potential for duplicates, at this time we are finding that very few duplicates are being reported (less than 100 duplicates at most colleges, and in even more cases - less than that). The CCC Technology Center recommends that colleges use the account that aligns to the most recently submitted CCCApply application when associating duplicates to student college accounts.
For the OpenCCC Accounts that are created via the SSO Proxy, how do the colleges get these accounts back into their systems?
The CCC Technology Center is currently developing a mechanism to return the OpenCCC accounts (CCCIDs) created for students who did not previously have a CCCID at the time they first encounter the SSO Proxy via the CCC Report Center.
The significance of CCCID for the CCC SSO Federation
The CCCID is used for multiple purposes across the California Community Colleges system. The CCC Chancellor's Office and other systemwide organizations rely on the CCCID to track progress and the educational choices made by student across the course of their academic journey. Students that attend multiple colleges across the system are tracked in one central location (OpenCCC Student Account System) and their CCCID will be used for research (locally and systemwide) to better align support and services across the system.
In order to track students through their CCCID, the objective of the SSO Proxy is to ensure that every CCC student has a CCCID. Therefore, as part of the SSO Proxy integration, it is strongly recommended that colleges store the CCCID in their Active Directory or LDAP directory in order to pass this attribute with the EPPN with the student user session when authenticating to a CCC web application, such as CCCAssess, Canvas and MyPath.
What is the EPPN?
The EduPersonPrincipalName (EPPN) is the unique identifier for a user (applicant, student, faculty, staff) across all college IdPs.
For the the Student population, a Central OpenCCC Id (CCCID) is a unique correlation ID for a single student across the entire CCC system and is a key SAML attribute requirement across all service providers. Many colleges will be able to lookup the CCCID from their directory servers, but for the colleges that dont store CCCID, the central IdP proxy will be used to lookup the CCCID for a given EPPN and included it in the list of SAML attributes sent to the final Service Provider.
The EPPN has the syntax of an email address, but it should be considered a "globally unique federated identifier" rather than an email address. It is generally the most important attribute to be shared with federated services. Note that the value of EPPN does not have to match what the user fills in as their username when they login, and the user does not need to know what their EPPN is, as it is shared between the IdP and the service. It should be unique, rarely change, and not be reassigned to another user.
The significance of EPPN to the CCC SSO Federation
The EduPersonPrincipalName (EPPN) is the unique identifier for a user for across all college IDPs.
For the the Student population, an OpenCCC Account Id (CCCID) is a unique correlation ID for a single student across then entire CCC system and is a key SAML attribute requirement across all service providers. Many colleges will be able to lookup the CCCID from their directory servers, but for the colleges that dont store CCCID, the SSO Proxy will be used to lookup the CCCID for a given EPPN and included it in the list of SAML attributes sent to the final Service Provider.