SSO Gateway: Step by Step Demonstration

Owned by Parker Neff (Unlicensed)
Last updated: Jul 20, 2020 by Chris Franz (Unlicensed)
6 min read

Overview

The CCC SSO Initiative provides single sign-on capability to colleges and districts allowing their student population to authenticate to secure web applications such as MyPath, Canvas, Hobsons, and Library Service Platform using the same login credentials used to log into other services at the college or district.

  • Single sign-on is achieved by implementing a SAML2 compliant Identity Provider - such as Shibboleth, PortalGuard or the Ellucian Identity Service.
  • MyPath, Canvas, and Library Services are statewide initiatives that require a common identifier for students that may attend multiple community colleges.  
  • The CCCID, the statewide student identifier established in OpenCCC is the common identifier that will be used across initiatives.

The CCCID

Use of the CCCID requires that colleges or districts pass the CCCID to MyPath, Canvas etc as a SAML attribute in the authorization request from their SAML identity provider.

 Click here to read more about the CCCID as a required attribute for CCC SSO initiative...

Colleges that participate in CCCApply have the capability of downloading a CCCID as part of the application download process for a student.  Many colleges that download the CCCID from CCCApply store the CCCID in the student's SIS or Active Directory account which allows them to easily pass CCCID as a SAML attribute.  Colleges that do not use Apply, colleges with students that applied previously to or outside of CCCApply, or colleges that choose not to store the CCCID are unable to pass the CCCID as a SAML attribute.

Because the CCCID is a requirement for participating in the statewide initiatives, the SSO GW was introduced as a means to associate a CCCID with a Identity Provider authorization request when the CCCID is not available to the college at authorization time.

This CCCID achieved by the SSO GW intercepting the authorization request, determining if a CCCID was passed as a SAML attribute, and prompting the student to either create a new or recover an existing OpenCCC account if a CCCID was not included in the request.

Demo - The SSO Gateway (GW): The Student Experience

The following demos illustrate the student user experience when they pass through the SSO GW to access a secure CCC web application, depending on the college's ability to pass a CCCID as a SAML attribute.

These particular scenarios focus on a student logging into MyPath from a College website, but the same experience would be true for Common Assessment, Canvas, or any other CCC web application.

NOTE: The videos/demos below refer to the SSO Gateway by its former name, namely the SSO Proxy.

Video 1: Various Student Experiences with the SSO GW


Scenario 1: Student Never Sees the SSO GW

This scenario illustrates is the most streamlined user experience because it allows students who already have an OpenCCC account (meaning they have a CCCID, even if they don't remember what it is) to login to any secure CCC web application without interruption or interaction with the SSO GW.  

IMPORTANT: In order for this scenario to work, the college MUST STORE all CCCIDs in their Active Directory and PASS THE CCCID as a SAML attribute. If the college does not upload and store CCCIDs in their Active Directory, EVERY student will have to interface with the SSO GW in some way (see Scenario Two and Three below). To avoid unnecessary interruption to the student experience, store CCCIDs in your Active Directory.


Demo:
Rose Reeves is a student at College A.  Rose applied to College A through CCCApply over a year ago, and College A downloaded her CCCID as part of their CCCApply application download process.

College A was able to store Rose's CCCID in her Active Directory account which enabled College A's IDP to send the CCCID as one of the SAML attributes.

Because the college IDP was able to send the CCCID as a SAML attribute, the SSOGW identifies the student by their CCCID and passes the student directly to MyPath (or their destination Application) without any further interaction with the SSO GW.

Step 1.1

Rose clicks on "MyPath Login" from the College A website.

Step 1.2

College A's Identity Provider login page is displayed.

Rose enters her college userid and password and clicks "Login"


Step 1.3

The SSO GW detects that the CCCID was passed as a SAML attribute and authenticates Rose to MyPath without any further interaction.


Scenario 2: SSO GW Prompts Student to Create an OpenCCC Account

John Demo is a returning student at College A but never applied using CCCApply. Because College A never downloaded an application for John Demo, College A's IDP was unable to pass his CCCID because it doesn't exist. 

Because College A's IDP was unable to send the CCCID as a SAML attribute, the SSO GW will direct John Demo to OpenCCC where John can retrieve his existing CCCID account if he has one, or create a new OpenCCC account.

NOTE: There are other reasons why a student may

Step 2.1

John selects "MyPath Login" from the College A website.

Step 2.2

College A's Identity Provider login page is displayed.

John enters his college userid and password and clicks "Login"

Step 2.3

The SSO GW detects that no CCCID SAML attribute was sent with the authentication request.

The SSO GW redirects John to OpenCCC where John can either login with his existing OpenCCC account, recover his OpenCCC account, or create a new OpenCCC account.

John selects "Create a new Account"

Step 2.4

John is directed to the Create Your OpenCCC Account.

John selects "Begin Creating My Account"

Step 2.5

John creates an OpenCCC Account

Step 2.6

Account creation is complete.

John is asked to remember his OpenCCC username and password

John clicks "Continue"

Step 2.7

John logs into OpenCCC with the username and password defined in the previous steps.

At this point the SSO GW remembers the CCCID for future logins.

Step 2.8

John is directed to the MyPath main page.



Scenario 3:  SSO GW Remembers Student in Future

Because John Demo was directed by the SSO GW to create a new OpenCCC account in the previous scenario, the SSO GW "remembered" the CCCID associated with John Demo's College A login account.

Because the SSO GW remembered John Demo's CCCID, he will not be required to create or recover his CCCID on all new login attempts to MyPath via the College A's IDP


Step 3.1

John clicks on "MyPath Login" from the College A website.

Step 3.2

College A's Identity Provider login page is displayed.

John enters his college userid and password and clicks "Login"


Step 3.3

John is directed to the MyPath main page.