Attributes for the SSO GW: Shibboleth
SAML EntityIDs for the SSO GW
There are two instances of the CCC SSO Gw that you must configure attribute release to: a Pilot and a Production instance. The entityID for each is:
| SSO GW Instance | SSO GW SP Metadata URL |
|---|---|
| Pilot SSO GW | https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php |
| Production SSO GW | https://sso.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php |
Metadata for the SSO GW
Metadata for the SSO GW is contained within the the CCC Central Metadata feed that contains metadata for many CCC system-wide services. You should add the following configuration to your college/district IdP's conf/metadata-providers.xml file, which will automatically keep checking (every few hours) whether there is an updated file to download, and if so, download it and keep a local "backing file" on your IdP.
<!-- Central CCC distribution of metadata -->
<MetadataProvider id="CCC_Central_Metadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/ccc-central-metadata.xml"
metadataURL=" http://saml.cccmypath.org/metadata/ccc-metadata.xml">
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="PT0S"/>
<MetadataFilter xsi:type="SignatureValidation"
requireSignedRoot="true" certificateFile="${idp.home}/credentials/ccctc-md-cert.pem"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
As you can tell from the above, the CCC Central Metadata feed is available at: http://saml.cccmypath.org/metadata/ccc-metadata.xml. Note that part of the above configuration is verifying the "signature" on that metadata file and to do that you must create a new file in your IdP's credentials/ directory named 'credentials/ccctc-md-cert.pem' with the following content:
-----BEGIN CERTIFICATE----- MIIELTCCAxWgAwIBAgIJAKshFHHXXhrGMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV BAYTAlVTMQswCQYDVQQIEwJDQTERMA8GA1UEBxMIT3JvdmlsbGUxHjAcBgNVBAoT FUNDQyBUZWNobm9sb2d5IENlbnRlcjEdMBsGA1UEAxMUc2FtbC5jY2N0Y3BvcnRh bC5vcmcwHhcNMTYwMTE1MTkxNTEwWhcNMjEwMTEzMTkxNTEwWjBsMQswCQYDVQQG EwJVUzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCE9yb3ZpbGxlMR4wHAYDVQQKExVD Q0MgVGVjaG5vbG9neSBDZW50ZXIxHTAbBgNVBAMTFHNhbWwuY2NjdGNwb3J0YWwu b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Ox2MGZCIimvKXZ6 DsmfQajFY0Y3JKvRtqdBmlDo2ndtLNFIvlYzIYehYfwFdJJ3fcnkYWYm/Q1UWC1o MnQtL1dh1x/ZHPArZEsBGNEvQjuhk9ztT43A/5sB7GHpM1CM0cZl32UdB49ETT3T +f/I6ZDBE9MUPJpg0UjV1xurSig1mZHcY+As0rQwreV9/b2mnIn9St6tJAXBthfC wDdpVcLXG3es2VS1MF3RfSRNQkKZT/nQO5f1yFNbVrOfiDB1zydhYMXzXJDh3OMp gByOi9/PHUSaXdVs3xwF1Kd7HJQJf+iOgGGUUo3Tu9ADioJp07jGK/6uWMnaymSo P/G5nQIDAQABo4HRMIHOMB0GA1UdDgQWBBQl3onu5BAL9in4WHshPJpxSd2P+DCB ngYDVR0jBIGWMIGTgBQl3onu5BAL9in4WHshPJpxSd2P+KFwpG4wbDELMAkGA1UE BhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhPcm92aWxsZTEeMBwGA1UEChMV Q0NDIFRlY2hub2xvZ3kgQ2VudGVyMR0wGwYDVQQDExRzYW1sLmNjY3RjcG9ydGFs Lm9yZ4IJAKshFHHXXhrGMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB AHaZ7znhgCPD0GwvU/toYFXxLOLedbnPB9CmebJSc6pGWg+uEGCaMZrpYbIpaHqR tk3repXsSuZ3Q6yGddNyjelND+88kIak2A3xl/dS1yhvo9MusrKzis4VO1zgXmDS FqqGw20Cc/xNdD6sTWEIh5fq/gaGrVv1yBGtGrvtGXIfQ1Nwin1GF07s+M7lkmVz bMRrobcqOK0WNye1EdXw8vk4owpdlTmgos/wSiQi8jhVAilsuzAk6h7cAQuoFyqA HY8tF8nsz3skKoDgZVRJmzesPkRKRszYtC/aUDlZje9uHQINKuCcCLFKI1paYiHR BeRdoPK3OIBsGglKA7aC3lk= -----END CERTIFICATE-----
Configure the Attributes
Minimum Required Attributes
Make sure you understand and have all the following required attributes available.
| Simple Name and the SAMLv2 name when sent in the SAMLv2 response | Short description | Sample value(s) | Description |
|---|---|---|---|
eduPersonPrincipalName (EPPN) urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | The primary federated identifier of a given user from a college/district IdP. | EPPN has the syntax of an email address, but it should be considered a "globally unique federated identifier" rather than an email address. It is generally the most important attribute to be shared with federated services. Note that the value of EPPN does not have to match what the user fills in as their username when they login, and the user does not need to know what their EPPN is, as it is shared between the IdP and the service. It should be unique, rarely change, and not be reassigned to another person. | |
eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Role within the institution |
| All of the roles a given person has within the college. This is the only attribute listed here that is intended to have multiple values. All the rest are expected to have a single value. |
uid urn:oid:0.9.2342.19200300.100.1.1 | Username | jsmith | This is usually the value that the user fills in as their username when they login. If you are using AD, the usual attribute you want to use to populate uid is the sAMAccountName attribute. |
givenName urn:oid:2.5.4.42 | First Name | Jane | |
sn (surname) urn:oid:2.5.4.4 | Last Name | Smith | |
displayName urn:oid:2.16.840.1.113730.3.1.241 | Full name to display | Jane Smith | |
mail (email) urn:oid:0.9.2342.19200300.100.1.3 | Email Address | jane.smith@college.edu | |
cccId | Unique id for a student within the CCC system | The CCCID is a critical attribute for students. If not specified, but required for a portal or service action, the CCCID will be looked up via the EPPN. If no match is found, the action cannot be performed until the user creates a CCCID via the OpenCCC portlet. |
Additional Recommended Attributes
Below are additional attributes that can be sent by the college. These attributes are not required, but are highly recommended and can be useful for pre-populating values required to create a central CCCID account.
| Simple Name and the SAMLv2 name when sent in the SAMLv2 response | Short description | Sample value(s) | Description |
|---|---|---|---|
eduPersonPrimaryAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.5 | Primary role at the institution |
| Must be one of the values specified in eduPersonAffilliation. If the eduPersonAffiliation attribute has many values, the primary affiliation should reflect the role to be associated with services that differentiate based on this value (such as the CCC Portal). |
street urn:oid:2.5.4.9 | Street address | 303 Mulberry St. | |
| locality urn:oid:2.5.4.7 | City | Metropolis | |
st urn:oid:2.5.4.8 | State or Province name | CA | |
postalCode urn:oid:2.5.4.17 | Postal or zip code | 12345 | |
homePhone urn:oid:0.9.2342.19200300.100.1.20 | Home Phone Number | +1 212 555 1234 | |
mobile urn:oid:0.9.2342.19200300.100.1.41 | Mobile Phone Number | +1 775 555 6789 |
Release Attributes to Proxy Instances
The last step is to configure your college/district IdP to release the above attributes to the SSO GW entityIDs. To do this, edit your IdP's conf/attribute-filter.xml file and add the lines below. You will have to verify whether you've configured your IdP's conf/attribute-resolver.xml file to generate the following attributes with the same "id" as referenced below, and if not, adjust the below to match the "id" you used.
<!--
Release all required and optional attributes, for any service,
to the CCC IdP Proxy, so it in turn can release only the
needed attributes to the services on the other side
of the IdP Proxy. All attributes will not be sent to all services,
just the needed ones for a given service. The attributes here should
constitute a "union" of all possible attributes for any service.
-->
<AttributeFilterPolicy id="CCCWideReleaseForIdPProxy">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
<Rule xsi:type="Requester" value="https://sso.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="faculty" ignoreCase="true"/>
<Rule xsi:type="Value" value="student" ignoreCase="true"/>
<Rule xsi:type="Value" value="staff" ignoreCase="true"/>
<Rule xsi:type="Value" value="alum" ignoreCase="true"/>
<Rule xsi:type="Value" value="member" ignoreCase="true"/>
<Rule xsi:type="Value" value="affiliate" ignoreCase="true"/>
<Rule xsi:type="Value" value="employee" ignoreCase="true"/>
<Rule xsi:type="Value" value="library-walk-in" ignoreCase="true"/>
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="eduPersonPrimaryAffiliation">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<!-- CCC specific attributes -->
<AttributeRule attributeID="cccId">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="cccMisCode">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<!-- Less likely attributes to be populated, but release if available -->
<AttributeRule attributeID="mobileNumber">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="homePhone">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="telephoneNumber">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="postalAddress">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="street">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="locality">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="stateProvince">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="postalCode">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
</AttributeFilterPolicy>