Preparation

  1. Get the for the district/college IDP and include in the CIP JIRA ticket for the district/college (found here)

  2. If the district/college metadata is in InCommon go to InCommon section below.

Metadata Changes

  1. Add the school's metadata to metadata/ccc-metadata-nextgen-unsigned.xml in the cccnext/saml-ccc Bitbucket repo to the Section marked "College IdP Metadata". It should be formatted such that long lines are wrapped.

  2. In that same file, add a AssertionConsumerService, e.g. 

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.ci.cccmypath.org/simplesaml/module.php/saml/sp/saml2-acs.php/MIS570" index="0"/>

    to the the following Pilot and Prod IdP Proxy "SP side" SP descriptor. Be sure to change the "570" numeric in the example above to match the misCode of the new school or district. Each new entry should increment the index value.

  3. Validate the metadata additions using ./validateMetadata.sh nextgen. If the validation passes, commit and push the change. Build automation will sign and push the updated metadata saml.cccmypath.org S3 bucket and, within one hour, downloaded to the Proxy IdP deployments.

Authsources Changes

  1. Add an entry for the new college/district in two places in the authsources.php config file in the external-config/pilot/opt/ccc/config in the cccnext/idp-proxy Bitbucket repo, git add, and commit.

  2. aws s3 cp authsources.php s3://ccc-pilot-proxy-simplesaml-config/opt/ccc/config/

  3. Add a new authsource entry to resources/authsources.json with the appropriate AuthSource alias, IDP entity ID, Eppn scope/suffix, description and MIS code(s) in the cccnext/saml-ccc Bitbucket repo.  See example below.

InCommon Updates

  1. Go to https://www.incommon.org/federation/siteadmin.html, click on Federation Manager sign in in the left nav and log in using Franz's InCommon creds in LastPass.

  2. Once authenticated, change the url to https://service1.internet2.edu/siteadmin/organizations/10513/service_providers

  3. Click on https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php [ Edit ]

  4. Go about half way down the page and click on [ Edit ], and add the new AssertionConsumerService line that was added to the Proxy in one of the three blank fields at the bottom of the AssertionConsumerService section.

Production Onboarding

  1. Once testing in Pilot has been verified, Metadata Change #2 (only) will need to be made for the Production environment.  For this, add the same AssertionConsumerService line as done for pilot in the Prod IdP Proxy "SP side SP descriptor.

  2. Add an entry for the new college/district in two places in the authsources.php config file in the external-config/prod/opt/ccc/config in the cccnext/idp-proxy Bitbucket repo, git add, and commit.

  3. aws s3 cp authsources.php s3://ccc-prod-proxy-simplesaml-config/opt/ccc/config/

  4. Add a new authsource entry to resources/authsources.json with the appropriate AuthSource alias, IDP entity ID, Eppn scope/suffix, description and MIS code(s) in the cccnext/saml-ccc Bitbucket repo.  See example below.

Upon completion of the steps above, after propagation of the updates (approximately one hour), testing of the new school with the IdP proxy can commence.  Note, some colleges/districts will have different metadata for their prod IdP versus their pilot IdP.  If so, we'll need to add their prod IdP metadata just like we did their pilot metadata in section 2.1.

Updating authsources.json

authsources.json is used by applications such as SSP and Assess to create links to other services via the SSO Proxy

The file is maintained in Bitbucket in the cccnext/ccc-saml repository.

The file name in the REPO is cccnext/saml-ccc/src/resources/authsources.json

Adding a new authsources involves creating a new authSource entry in the authsources.json file with the following values



authSource

this should be the same name used in the authsources.php file in the sso proxy configuration

eppnSuffix

this is the scope/suffix the IDP sends with authenticating a user. This value can be found in the implementation JIRA ticket

description

A description of the entry

idpEntityId

The Metadata entity id of the college idp. This value can be found in the implementation JIRA ticket

misCodes

An array of mis codes served by the college IDP. This value can be found in the implementation JIRA ticket

authsources.json example

[
  {
    "authSource": "idp.collegea.edu",
    "eppnSuffix": "idp.collegea.edu",
    "description": "College A IDP",
    "idpEntityId": "https://idp.collegea.edu/idp/shibboleth",
    "misCodes": [
      "311",
      "312",
      "313"
    ]
  },
  {
    "authSource": "CIMock",
    "eppnSuffix": "democollege.edu",
    "description": "Uni College IDP",
    "idpEntityId": "https://ci-idp.ccctcportal.org:8443/idp/shibboleth",
    "misCodes": [
      "ZZ1"
    ]
  }
]