CCCID: The Use and Significance of the CCCID in the CCC SSO Initiative

What is the CCCID?

A CCCID is a unique student-identifier generated when an individual (student) creates an OpenCCC account, enabling secure, single sign-on access to admissions applications and other systemwide web-based services. The CCCID is commonly created during the CCCApply admissions application process, however, any existing student can (and should) be encouraged to create an OpenCCC account and thus create their own CCCID, explained Lou Delzompo, Chief Technology Officer of the CCC Technology Center.

Some key functions of the CCCID:

    • The CCCID is generated when a student sets up an OpenCCC account and commonly passed to the college in the CCCApply data download.
    • The CCCID is then stored in the college’s SIS or college LDAP/Active Directory
    • The CCCID is passed as an attribute from the college’s IdP to the systemwide applications SP (i.e. Canvas, CCCAssess, MyPath, etc.)
    • The CCCID is used by the systemwide application to identify the student.


How do colleges get the CCCID?

The majority of students get their CCCIDs when they first apply to a California Community College using the CCCApply admission application. Since 2012, when the CCC Technology Center first released the new CCCApply application in conjunction with the new OpenCCC Account system, colleges have downloaded new student/applicants through their CCCApply download client process. The OpenCCC Account data fields, which are created as part of the initial CCCApply application, are passed to the college with the CCCApply application data in their automated download file.  Below is a diagram that illlustrates the process that colleges are using now to download the OpenCCC data - including the student's system-generaged CCCID - along with the student's application data.


 

How long does it take to get through the OpenCCC Account creation process and what is required?

The full OpenCCC Account is a very quick and easy process to complete. There are three pages total and typically takes less than 5 minutes to complete. Below are the required questions and data fields collected in the OpenCCC Account:

  • Legal Name (Last, First, Middle)
  • Birthdate
  • Email
  • Permanent Address
  • Main Phone Number
  • Username
  • Password
  • PIN Number
  • Security Question Responses 1-3

What is the full set of data fields passed to the college via the CCCApply download process?

In addition to the fields listed above, the following optional questions/fields are also asked in the OpenCCC Account creation process:

Previous Name (Last, First, Middle)
Preferred Name (Last, First, Middle)
Social Security Number/Taxpayer Identification Number
Authorization for Text Messages for Main Phone
Second Telephone

Authorization for Text Messages for Second Phone

What is the set of data that is used to uniquely identify a student in the process?

There are several combinations of data fields that are used to match a duplicate OpenCCC Account, including:

Email Address
Birthdate
SSN/TIN
Legal First & Last Names
Main Phone Number 


What is the Account Matching process in OpenCCC?

The Account Matching function does not have a user interface. It is called by other functions to compare user data with existing accounts. It will accept whatever set of user data the calling function provides, and will attempt to identify a unique account based on that data. (For example, Account Recovery might provide only the required fields, Legal Name and Date of Birth.)

Once the Accounts database has been searched for matches, Account Matching will:

    • identify a single matching account to the calling function, provide flags to indicate match type (such as whether the match is definitive or not) as appropriate; or
    • tell the calling function that there was no matching account; or
    • tell the calling function that there were two or more matching accounts.

It is not the job of Account Matching to determine that a unique account found by Account Matching is a true match—in other words, that it does indeed belong to a particular online user. That task is performed by Account Verification, which will employ security questions to verify that the online user is the actual owner of the account. (Account Verification will never ensure a true match with absolute certainty, but a verified match must provide sufficient assurance to meet current and evolving security standards.)


How does Account Verification process work?

It is the job of Account Verification to verify with an acceptable level of certainty that a unique existing account identified during Account Recovery or Account Creation does indeed belong to the online user. It does this by randomly selecting two of the account’s three Security Questions, and requiring the user to answer those questions.

If the user answers the Security Questions correctly, Account Verification will display the account’s Username and provide fields for resetting the account’s Password.

Once the password has been reset, the user will be admitted to the account, just as if he had logged on. (For example, if Account Recovery or Account Creation has been entered as part of the flow from a college website to the OpenCCCApply online application, the user will be taken from the password reset screen to the Introduction page of the college’s online application.)


Are there a significant number of duplicate CCCID accounts found?

No. The number of duplicates CCCID account across the entire system is approximately .2% and decreasing. Though some colleges have raised concerns about the potential for duplicates, at this time we are finding that very few duplicates are being reported (less than 100 duplicates at most colleges, and in even more cases - less than that). The CCC Technology Center recommends that colleges use the account that aligns to the most recently submitted CCCApply application when associating duplicates to student college accounts.

For the OpenCCC Accounts that are created via the SSO Proxy, how do the colleges get these accounts back into their systems?

The CCC Technology Center is currently developing a mechanism to return the OpenCCC accounts (CCCIDs) created for students who did not previously have a CCCID at the time they first encounter the SSO Proxy via the CCC Report Center.  , 

The significance of CCCID for the CCC SSO Federation

The CCCID is used for multiple purposes across the California Community Colleges system. The CCC Chancellor's Office and other systemwide organizations rely on the CCCID to track progress and the educational choices made by student across the course of their academic journey. Students that attend multiple colleges across the system are tracked in one central location (OpenCCC Student Account System) and their CCCID will be used for research (locally and systemwide) to better align support and services across the system.

In order to track students through their CCCID, the objective of the SSO Proxy is to ensure that every CCC student has a CCCID. Therefore, as part of the SSO Proxy integration, it is strongly recommended that colleges store the CCCID in their Active Directory or LDAP directory in order to pass this attribute with the EPPN with the student user session when authenticating to a CCC web application, such as CCCAssess, Canvas and MyPath.


What is the EPPN?  

The EduPersonPrincipalName (EPPN) is the unique identifier for a user (applicant, student, faculty, staff) across all college IdPs.

For the the Student population, a Central OpenCCC Id (CCCID) is a unique correlation ID  for a single student across the entire CCC system and is a key SAML attribute requirement across all service providers.  Many colleges will be able to lookup the CCCID from their directory servers, but for the colleges that dont store CCCID, the central IdP proxy will be used to lookup the CCCID for a given EPPN and included it in the list of SAML attributes sent to the final Service Provider.   

The EPPN has the syntax of an email address, but it should be considered a "globally unique federated identifier" rather than an email address. It is generally the most important attribute to be shared with federated services. Note that the value of EPPN does not have to match what the user fills in as their username when they login, and the user does not need to know what their EPPN is, as it is shared between the IdP and the service. It should be unique, rarely change, and not be reassigned to another user.  



The significance of EPPN to the CCC SSO Federation

The EduPersonPrincipalName (EPPN) is the unique identifier for a user for across all college IDPs.

For the the Student population, an OpenCCC Account Id (CCCID) is a unique correlation ID  for a single student across then entire CCC system and is a key SAML attribute requirement across all service providers.  Many colleges will be able to lookup the CCCID from their directory servers, but for the colleges that dont store CCCID, the SSO Proxy will be used to lookup the CCCID for a given EPPN and included it in the list of SAML attributes sent to the final Service Provider.