| Request No. | 2018-33 |
|---|---|
| Date of Request | June 28, 2018 / August 2, 2018 |
| Requester | Dave Stephens |
| Application(s) | SSO Proxy |
| Section / Page | |
| Proposed Change to Download File | |
| Proposed Change to Residency Logic |
Problem / Issue
Butte College has concerns about the current SSO proxy workflow, especially with respect fo students on their way to Canvas
Enhance the SSO Proxy sign-in page to better clarify to students where they are and why they are being re-directed there.
1) Update on status of the following OpenCCC enhancement requests (Donohue)
a. Removal and replacement of the .net domain (as .com and .net are all easy to obtain and commonly used in spoofing efforts).
b. Clearer language and/or imagery that affirms that the OpenCCC and CCC ID mechanisms are actually legitimate. (i.e. "We know you might not be expecting this, but...", etc.). This can easily be accomplished by embedding a short (20-30 second) screencast video. c. Consideration of custom subdomains per CCC point of origination in conjunction with (or w/o) #1 above (i.e. "butte.openccc.edu/idp/profile/SAML2/Redirect/SSO?execution=e4s1")
Notes from 8.02.18 meeting:
Reiterated that the college co-branding is needed. College logo branded header is the best decision.
Reiterated the amount of concerns from students saying "Is this legit?"
Reiterated need for a short embedded video (why am I here?)
- add the college co-branded logo to this page (coming from MIS code)
- Add language that this is a ONE time process, your data is safe
- SSN
- Add a canvas or other app logo next to the banner/header of the page
- Add some clarifying language to the sign in fields to identify OpenCCC sign-in creds
Faculty HAVE BEEN filtered out from the proxy flow - they won't see it unless they are ONLY students
IF faculty are also students, they could be informed that they really should be going through the proxy but are currently filtered only.
Butte needs to set up a flyer for 10K incoming students (about this process to convey legitimacy of THIS proxy / Canvas process)
Concerns from Butte: Ensure SSO is in place across the board.
Regarding the pre-seeding CCCID process that Butte is sending out to the students, make sure they have the correct URL (we confirmed this during our meeting)
Butte's message to students will go out by 8/15. (Patty, Get copy of the message they are sending out.)
Matt Norris added that ES is working on a questionnaire which will include their custom URL (vanity url) (ask the OEI CSM has a list of vanity URLs)
Proposed Solution
Butte College and others have been whitelisted from the proxy for any students
Do another round of tests - to ensure the whitelisting is in place as expected.
Currently, the following logic is in place:
- Only students should ever see the proxy for the purpose of ensuring their CCCID is passed (seamlessly) to the endpoint/application
- If a faculty/staff/member at a college is also a student - they are currently being filtered from the proxy BUT this is a temporary change until this process is finalized/approved and all colleges are informed.
Need a date that this or some version of this ^^ can be implemented for proxy flow
Need to work on the language for the sign-in page
Need to come up with two part solution for Butte:
- FAQ for proxy account creation process
- need changes made by X date for their comm campaign
- message with correct URL to the proxy account creation page
Butte will work with Matt Norris (via Dan Neal - who is heading out on paternity leave BTW) to retest the proxy whitelisting. Need to schedule testing of what the proxy is whitelisting
Notes
From 8.02.18 meeting: 9+ colleges provided feedback to Dave Stephens on the use of the proxy - concerns about abandonment when they get to the proxy. Most of the concerns and comments were made by staff and FACULTY, who have a strong voice in this process.
Per Matt S. - you can't really test
Query their EduPerson Affiliation in AD to ensure they are passing the correct affiliation. (typically testing isn't done correctly)
Every use case:
- Student only
Faculty only
Staff only
Member only
Faculty/staff only
Faculty/staff/member only
Run a query and bring back all the different EduPerson Affiliations
Flag any that are multi-valued (staff + student) Matt S. could help by providing a Power-shell script
Effort to get this implemented in the upcoming a few files were changes (css file change, jss file,
Making this a dynamic template would require a tiny bit more effort
But would require a proxy change as well - because the proxy needs to determine where they are going to, add param over to call this page.
This would require a Proxy hotfix and an OpenCCC Account hotfix
Both are low risk, low effort (Talk to Josh about the college co-branding effort - either adding a banner to the page or adding a Canvas, etc. logo to the page.)
Redesign the setup of the page? This would be to highlight that most of the students who encounter the page are
If the proxy side is setup to send that information - the Apply dev team could update that page in less than a day.
Franz could
(Move this out of this doc)
EPPN/CCCID API
problem with capacity (we weren't able to accommodate the counts (too many downloading)
EPPN Download Service
- Proxy account creation or recoveries from redirect to proxy - folks that have hit the the proxy and have to create or recovery. We grab their new account/CCCID and add to Dynamo table. -
- Proxy pass throughsSome colleges are passing along and we catch it when they pass. These are all stuck into the Dynamo DB table.
(prod-eppn-map) -
Run something at the college (NOT the download process for applications) Franz to apply confluence page
(short term work-around, Jay Owen, increased Dyamo db params to allow State Center to download EPPNs - with approval from Lou.
Charles H. fix was more permanent - IF multiple colleges wanted to download EPPN mapping at the same time, even with the increased params there's a chance it could flood the Dynamo again. Increased error handling in the download service code.