2018-35: Improve SSO Proxy Process & Workflow Issues

Request No. 2018-35
Date of RequestJune 27, 2018 
RequesterDave Stephens - Butte College 
Application(s)SSO Proxy / OpenCCC Account Creation 
Section / Page

Proxy 

Steering Hearing DateTBD 
Proposed Change to Download FileN/A
Proposed Change to Residency LogicN/A 

Problem / Issue

Butte College has completed proxy integration and is preparing to implement the proxy workflow for students (and staff/faculty) using Canvas LMS.

In June 2018, Butte raised concerns about the proxy design and workflow to the CCCTC Enabling Services team - who called a meeting with Butte College representatives to determine what can be done to resolve them.  

Butte's concerns are that the current design and implementation of the proxy is problematic and creating barriers for their students. Admittedly the college had not completed proxy integration requirements - but they will; nevertheless, for the students who don't have a CCCID, the redirect process and the proxy sign-in page are very confusing when encountered by the students. Furthermore, faculty and staff are very concerned as to why they are being redirected (almost more complaints than the students).   Below is a full list of concerns from Butte and proposed solutions for each.

For context, there is a brief description of what the proxy is and it's current workflow in Notes below.




Could the ePPN be used to create accounts?


Focus on getting all students their OpenCCC the CCCID

Do we have any deadlines and driving need to get this done? YES - Canvas LMS implementation has now required colleges to integrate with, and use, the proxy service to pass students through to Canvas.




Franz’s suggestion:  CCCID short process - on proxy redirect. Create a very short version of OpenCCC Account Creation, basically to get the user a CCCID and continue them on their way to their end point. 

Suggestions:  Username = personal email address?  Password, and DOB.

The rest of the data could be auto-populated by the college's metadata (First + Last, street, student ID?)


Proposed Solution

Enhancements and change requests requested by Butte College

  1. whitelist application URLs for faculty and staff (i.e., Canvas LMS, CAP, Report Center, etc.)
  2. Change the proxy domain to a .edu - from www.openccc.net - students perceive this as a 
  3. Revise the visuals on the proxy sign-in page to better brand the experience as "legitimate"
  4. Add college branding image to the proxy sign-in page so the student feels comfortable that the redirect was "legitimate"
  5. Revise the language on the proxy sign-in page to clarify what the student needs to do and why


Solution:

Canvas LMS is whitelisted for every EduPrimary Affiliation that is not ONLY / solely "student".  If staff, faculty, member, etc. also includes a "student" affiliation, they will encounter the proxy.


Fix the EPPN + CCCID API and report

Fix the bugs and issues with the production proxy

Update the UI design and language on the proxy sign-in page (don't forget to fix the color of the buttons)

See if we can add an image or logo of the application that the student is heading to when they encounter the proxy

Add a college-branded banner to the proxy re-direct page, including the new UI design/language

Work with the 


Additional enhancements, changes, and product improvements for all colleges

  1. Whitelist all Canvas URLs while implementing a campaign to encourage colleges and students to get their CCCID
  2. Add a forgiveness nudge that would allow the student to continue on to the application up to 3 times before getting redirected to the Proxy and make the student sign-in, recover or create an account.
  3. Create a "short-form" OpenCCC account for students who hit Account creation via the proxy only. The theory is, the student is clearly already a student at the college (they are hitting the proxy from the college's IdP). That means the student is already a student at the college. They know the student's name, address, DOB, and probably their SSN = most of the data that is collected via OpenCCC Account creation, which could be passed via metadata attributes and auto-populated by the proxy in account creation.  We'd need to only ask the student for:  Personal email (alternates as Username), a Password, DOB, and probably First + Last names. 
  4. Fix the EPPN > CCCID report in the Report Center (add the College ID, submit timestamp) - Add a timestamp to Account Creation (September 2018)



Notes

For context, below is a brief description of what the proxy is and it's current workflow:

What's the purpose of the proxy?

The purpose of the SSO proxy is to ensure every CCC student has an OpenCCC account and is passing their CCC systemwide CCCID when accessing and utilizing systemwide technology applications. Since the implementation of the OpenCCC Student Account system, over six million students have been issued a CCCID, the CCC systemwide account identifier which is intended to identify and track the student across colleges and applications throughout their educational journey/career in the California Community Colleges system. Though the majority of current students across the system have created an OpenCCC account when they apply to a college, there are still students who did not create an OpenCCC account for a variety of reasons. 

Furthermore, the proxy is only interested in identifying and storing CCCIDs for students. Staff and faculty should not encounter the proxy unless their they are also students in some capacity.

How does it work?

Every time a student attempts to access one of the systemwide technology applications, such as MyPath, Canvas LMS, Course Exchange, etc., the proxy looks for the CCCID in the IdP sessions metadata and passes it to the application. If the proxy cannot find the CCCID in the metadata, it will re-direct the student to the OpenCCC/Proxy Sign-In page and prompt the student to either sign-in with their OpenCCC user account credentials, or recover their account credentials and sign-in, or create an account - if the student doesn't have an OpenCCC account. This redirect and subsequent process to obtain an account or sign-in is a one-time process. The student will only encounter this process once; the proxy will collect and store their CCCID and will not re-direct the student again. 

What does the college need to do?

Since 2016, the CCC Technology Center has been working with every college's IT/Systems department to ensure their student Identity Provider service (IdP) is configured properly with the SSO proxy (aka proxy integration) and passing the necessary attributes, including the CCCID, to facilitate single sign on within the CCC systemwide technology applications.    

Among the technical requirements, colleges must ensure their students CCCIDs are stored in their user directory (i.e., Active Directory, LDAP, etc.) so that it can be passed with the IdP. 

If the college does not configure their IdP to pass the student's CCCID attribute along with the other required attributes, every student will encounter the SSO proxy the first time they access a systemwide technology application.  Colleges can prevent the proxy from triggering at all if the college configures their IdP properly and passes the required attributes, including the CCCID. 



Focus on getting all students their OpenCCC CCCID

Setup a campaign with the ES team - to encourage colleges to implement

Staff is identified correctly with the correct metadata attribute(s)
Active Directory is configured to pass the correct

Part of this plan - whitelist all Canvas URLs while implementing a campaign to encourage colleges and students to get their CCCID

Another suggestion

Matt Schroeder suggests:  A count-down issue > redirected to a page that says you do not have a CCCID  but let them get through the first 5 times and each time give a warning to the student. That they will have to do it.

Proxy would be presenting that page - counting down the number of tries left - they would be sending the EPPN regardless - has gone through the proxy you should uniquely identify them;

Still complies with the design of the proxy - but would be least impactful

Implement a notification back to the college if the student hits the proxy and no CCCID is passed - put the responsibility on the college to follow-up, get the CCCID,

What it would do:  It will allow a student without a CCCID to continue to their endpoint without logging in, recovering, or creating their account at that moment - and notify the college that the student hasn’t passed their CCCID

Supporting Documentation