CCC SSO Proxy Version 1.8.0 Upgrade - Summary Release Notes
Release Schedule
Description | Date |
|---|---|
Release No. | 1.8.0.0 |
Pilot Release Date & Time | February 6, 2018 |
Production Release Date & Time | February 8, 2018 |
Type | Technical Update (Bug fixes, version upgrade, some feature enhancements) |
Documentation & Links
| Description | Link |
|---|---|
Applications | CCC SSO Proxy |
Operational Support Plan | Link to Support Plan |
Integration Status Spreadsheet | Link to Status Spreadsheet |
Table of Contents
Release Summary
Below is a summary of the enhancements and bug fixes that were released during the SSO Proxy version upgrade (1.8.0.0) across all environments on Feb 6 (Pilot) and Feb 8, 2018 (Prod).
- Bring all environments to the latest version of the sso proxy code (Version 1.8.0.0
- A series of user and technical enhancements
- A couple of bug fixes
Release Scope
| Issue Type | Description | Summary Notes |
|---|---|---|
| Enhancement | Make student check in eduPersonAffliation case insensitive | Though the eduPerson specification uses all lower case characters for their eduPersonAffiliation permissible values, e.g. faculty, student, staff, alum, member, affiliate, employee, library-walk-in, some college/district IdPs are sending mixed case, e.g. Student. This enhancement converts all eduPersonAffiliation values to lower-case before sending them on as attributes to the downstream SP. |
| Enhancement | Send RelayState Information if configured for the destination IdP | This enhancement facilitates MyPath IdP initiated logins through the OpenCCC IdP. In the case of the OpenCCC IdP only, the Proxy includes the initial RelayState so that information is not lost and can be used to ultimately redirect the user back to MyPath. This is a limited use case and should rarely if ever be used by other applications. |
| Enhancement | Add CCCID / eppn mapping when CCCID is passed in SAML | Currently, if a college/district IdP passes the CCCID as an attribute, it is not added to the eppn-CCCID map. The map is only updated if a CCCID is NOT included and the user is detoured to OpenCCC to retrieve it. This enhancement captures CCCIDs sent by the college/district IdPs and adds them to the map so that the map is updated in both cases. |
| Enhancement | Pass MIS codes associated with authsource in authsources_<env>.json as new SAML attribute | To satisfy this enhancement, the proxy now adds a new SAML attribute, https://www.openccc.net/saml/attributes/cccMisCodes available to downstream SPs that includes an array of the MisCode(s), e.g. 310, 311, 312, 313, of the authenticated college/district IdP. |
| Enhancement | Include authsource as a SAML attribute | To satisfy this enhancement, the proxy now adds a new SAML attribute, https://www.openccc.net/saml/attributes/cccAuthSource available to the downstream SPs that includes an the authsource, e.g. MIS310, of the authenticated college/district IdP. |
| Enhancement | Validate CCCID value passed by College/District IdPs | The CCCID is defined in OpenCCC to be a string consisting of 3 upper-case characters and 4 numbers from 0-9 inclusive. Early Proxy testing showed that some college/district IdPs were sending bogus CCCIDs along in the SAML attributes. This enhancement implements a basic validation test against the inbound CCCID attribute and, if it fails, detours the user to OpenCCC to recover or create a CCCID in case the attribute was not passed to the proxy. |
| Enhancement | Upgrade Proxy core to SimpleSAMLphp 1.14.17 | The current release of the SSO Proxy is based on the SimpleSamlPHP core version 1.14.3. Several security patches have been released since then. This enhancement upgrades the SimpleSamlPHP core version to 1.14.17. |
| Enhancement | Change Proxy to not redirect users with 'student' eduPersonAffliation to OpenCCC if destination SP is Jasper Reports or CCCAdmin | During initial testing, some college/district personnel are designated in their directory with eduPersonAffiliation values that include student and staff. If these users try to go through the Proxy to, say the OpenCCC Admin page, and their college/district does not send a CCCID, they are detoured to OpenCCC to retrieve it. This enhancement implements a configurable "whitelist" of SP entity IDs that, even if the inbound attributes do not include the CCCID, are excluded from the detour to OpenCCC. This list is currently limited to OpenCCC Admin and OpenCCC JasperReports. NOTE: 12.13.17 - Patty added to the scope of this requirement by expanding the whitelist of SP entity IDs to include additional destinations (Canvas LMS entity IDs for each college, Admin2, Jasper, DW, etc.) |
| BUG | Always default to redirect session to Canvas Prod environment after redirecting from OpenCCC | When testing Canvas integration with the Proxy, it was noted that,
This enhancement adds logic to capture the initial destination, prior to the detour, and ultimately redirects the user back to that destination. |
| Enhancement | Change config.php logging from DEBUG to INFO in Prod | Currently, the Proxy in production is configured with log level DEBUG. Due to the traffic in production, this results in the log disk partition filling with regularity. This enhancement changes the logging configuration for the production environment from DEBUG to INFO to cut down on verbose logging. |
| Enhancement | Update Proxy College IdP Search Page to remove text "Identity Provider" from each college/district that returns in search type ahead box | On the college picker page of the Proxy, the string "Identity Provider" is appended to the current descriptions for each college/district IdP. This has been deemed confusing to the users. This enhancement removes that string. |
| Enhancement | Implement ability for user to find their college on the Proxy IdP search page even if the college uses a district level IdP | Currently, if a college rolls up under their district IdP, the college name does not appear in the selection list on the college picker page. This enhancement lists every college and, if it rolls up to a district IdP, when it is selected the user is redirected to the district IdP as if they had chosen the district IdP from the selection list. |
| Enhancement | Remove deprecated configuration parameters from config.php | This is a de-clutter enhancement to remove deprecated configuration parameters from the Proxy's config.php. It should not impact any application using the Proxy. |
| Enhancement | Create an /index.php landing page for proxy to handle proxy session timeout scenarios | This enhancement stems from CIP-688. If a user initially hits the proxy and is redirected to their college/district IdP per the normal flow, if they take longer to authenticate than then timeout set in CIP-688 they will be sent to this Proxy session timeout page. |
| Enhancement | Revise the student user experience when encountering a session timeout | Some SAML2 SP implementations, including the one used by Course Exchange, honor the SessionNotOnOrAfter attribute which is currently set to to the same duration as the Proxy session timeout. This enhancement allows us to control that attribute setting independently from the Proxy session timeout. |
Out-of-Scope Development
Item Description | Summary Notes |
|---|---|
| Improve error page when user logs in and proxy session has expired | Pulled out of the 1.8.0 release–this is a low priority. |
| Change Proxy session timeout | Pulled this out of the 1.8.0 release due to issues identified during testing in TEST. This was the quick fix for the session time-out issue. |
| Enable Single Logout for CCC Controlled SPs and IDPs | Pulled this out of the 1.8.0 release due to issues identified during testing in TEST |
Documentation
The following links point to the most current versions of the CCC SSO Proxy documentation.
Description | Version | Link | Release | Date Published |
|---|---|---|---|---|
| CCC SSO Federation | CCC SSO Federation | |||
| CCC SSO Proxy Integration Steps | Steps to Integrate with the CCC SSO Proxy |