CCC SSO Federation
The CCC SSO Federation is a shared federation of California Community Colleges based on a secure single sign-on. Each participating college will be required to stand up a SAML compliant Identity Provider to authenticate their user population to secure CCC web applications services in the SSO Federation. Currently, the CCC Technology Center supports Shibboleth IdP software and Portal Guard IdP; however colleges may choose to use another IdP solution with built-in support services, such as Ellucian. For more information on the IdP solutions supported by the Tech Center, see Supported IdP Solutions below.
To participate in the CCC SSO Federation, colleges are required to implement a SAML2-compliant Identity Provider (IdP), become a member of the InCommon Federation; and integrate with the SSO Proxy service, in order to access the full benefits of system-wide single sign-on connectivity for students, staff and faculty across all secure CCC applications. In addition, all CCC-approved vendor applications, such as Canvas and Starfish, will also integrate with the Proxy in order to facilitate single sign-on to those applications, while passing the required attributes for access and reporting (i.e.,, CCCID, EPPN, etc).
- SAML2-compliant Identity Provider (IDP)
- Membership with InCommon Federation
- Proxy Integration to CCC Applications
- Proxy integration to Canvas, Hobsons/Starfish, Others
Optional implementations, but highly recommended:
- Integration with the CCC College Adapter (under-development)
- MyPath Student Services Portal
- EMSI Career Coach
- Canvas CMS
- Hobsons/Starfish Degree Audit Systems
Integrating with CCC Applications
Because a student will usually initiate access to central services from their home college web site, and to avoid being presented with a IDP discovery page where the student has to choose from 110+ college/district identity providers, the college will place a specially formatted link on their website to the the targeted service provider. This link will be provided to the college by the CCC Tech Center.
CCC Federation Overview Diagram
The following diagram illustrated the relationship between Identity Providers (IDP), the SSO Proxy, and the Services Providers (SP).
What is the EPPN?
The EduPersonPrincipalName (EPPN) is the unique identifier for a user (applicant, student, faculty, staff) across all college IdPs.
For the the Student population, a Central OpenCCC Id (CCCID) is a unique correlation ID for a single student across the entire CCC system and is a key SAML attribute requirement across all service providers. Many colleges will be able to lookup the CCCID from their directory servers, but for the colleges that dont store CCCID, the central IdP proxy will be used to lookup the CCCID for a given EPPN and included it in the list of SAML attributes sent to the final Service Provider.
The EPPN has the syntax of an email address, but it should be considered a "globally unique federated identifier" rather than an email address. It is generally the most important attribute to be shared with federated services. Note that the value of EPPN does not have to match what the user fills in as their username when they login, and the user does not need to know what their EPPN is, as it is shared between the IdP and the service. It should be unique, rarely change, and not be reassigned to another user.
The significance of EPPN to the CCC SSO Federation
The EduPersonPrincipalName (EPPN) is the unique identifier for a user for across all college IDPs.
For the the Student population, an OpenCCC Account Id (CCCID) is a unique correlation ID for a single student across then entire CCC system and is a key SAML attribute requirement across all service providers. Many colleges will be able to lookup the CCCID from their directory servers, but for the colleges that dont store CCCID, the SSO Proxy will be used to lookup the CCCID for a given EPPN and included it in the list of SAML attributes sent to the final Service Provider.
What is the CCCID?
A CCCID is a unique student-identifier generated when an individual (student) creates an OpenCCC account, enabling secure, single sign-on access to admissions applications and other systemwide web-based services. The CCCID is commonly created during the CCCApply admissions application process, however, any existing student can (and should) be encouraged to create an OpenCCC account and thus create their own CCCID, explained Lou Delzompo, Chief Technology Officer of the CCC Technology Center.
Some key functions of the CCCID:
- The CCCID is generated when a student sets up an OpenCCC account and commonly passed to the college in the CCCApply data download.
- The CCCID is then stored in the college’s SIS or college LDAP/Active Directory
- The CCCID is passed as an attribute from the college’s IdP to the systemwide applications SP (i.e. Canvas, CCCAssess, MyPath, etc.)
- The CCCID is used by the systemwide application to identify the student.
The main linking mechanism between user accounts in the Identity Center and applications and services running in the cloud is the CCCID, a seven character ID composed of three alphabetic characters (A-Z, excluding O and I) and 4 numbers (0-9). This results in an account identifier with more than 130 million combinations that is easy for a person to remember if it was ever necessary. Example: SWD3986
The significance of CCCID for the CCC SSO Federation
The CCCID is used for multiple purposes across the California Community Colleges system. The CCC Chancellor's Office and other systemwide organizations rely on the CCCID to track progress and the educational choices made by student across the course of their academic journey. Students that attend multiple colleges across the system are tracked in one central location (OpenCCC Student Account System) and their CCCID will be used for research (locally and systemwide) to better align support and services across the system.
In order to track students through their CCCID, the objective of the SSO Proxy is to ensure that every CCC student has a CCCID. Therefore, as part of the SSO Proxy integration, it is strongly recommended that colleges store the CCCID in their Active Directory or LDAP directory in order to pass this attribute with the EPPN with the student user session when authenticating to a CCC web application, such as CCCAssess, Canvas and MyPath.