2018-33: Enhance the SSO Proxy Sign-In Page with a Template with College Co-Branding

Request No. 2018-33
Date of RequestJune 28, 2018 / August 2, 2018 
RequesterDave Stephens, Butte College
Application(s)SSO Proxy 
Section / Page


Proposed Change to Download FileN/A
Proposed Change to Residency LogicN/A


Problem / Issue

Butte College has concerns about the current SSO proxy workflow, especially with respect fo students on their way to Canvas. They called a couple meetings with the Tech Center to report their issues and request a series of changes to help improve the proxy workflow process and ensure SSO is in place across the board. Their goals are both long-term and immediate.  Ultimately, requesting UI enhancements to the SSO Proxy sign-in page to better clarify to students where they are and why they are being re-directed there. Their immediate need is to get their students through the proxy to Canvas. They have a marketing campaign underway and a checklist of tasks to prepare students before classes start in the fall.


Students are getting confused by the Proxy Sign-In page - the feedback is that it's a disconnect when they get redirected to the proxy. The URL domain changes from a Butte College domain to something unknown (openccc.net). Students complained to their help desk with comments, "Is this legitimate?".  They don't see anything familiar on the page: they don't see Butte College (which they have already signed in to), they don't see Canvas logo or URL (which they were supposed to be on their way to); they don't see any messaging or help text that gives them confidence that they are on a credible site and what we are asking is a credible source


Meeting 6/19: First meeting with Butte and ES team

Meeting 6/28:  List of issues were discussed and they asked for certain things to be considered, and if possible, completed by August 1, 2018.

Meeting 8/2:  Follow up meeting to review progress on change requests.  Butte reiterated the following concerns:

  1. Reiterated that the college co-branding is needed.  College logo branded header is the best decision.
  2. Reiterated the amount of concerns from students saying "Is this legit?"
  3. Reiterated need for a short embedded video (why am I here?)
    1. add the college co-branded logo to this page (coming from MIS code)
    2. Add language that this is a ONE time process, your data is safe
    3. SSN (comment that they understand the importance of the SSN, but which we could do something about that
    4. Add a canvas or other app logo next to the banner/header of the page
    5. Add some clarifying language to the sign in fields to identify OpenCCC sign-in creds

 Click here to expand...

Notes from 8.02.18 meeting:

Reiterated that the college co-branding is needed.  College logo branded header is the best decision.

Reiterated the amount of concerns from students saying "Is this legit?"

Reiterated need for a short embedded video (why am I here?)

  1. add the college co-branded logo to this page (coming from MIS code)
  2. Add language that this is a ONE time process, your data is safe
  3. SSN (comment that they understand the importance of the SSN, but which we could do something about that
  4. Add a canvas or other app logo next to the banner/header of the page
  5. Add some clarifying language to the sign in fields to identify OpenCCC sign-in creds

Patty & Matt explained that: Faculty HAVE BEEN filtered out from the proxy flow - they won't see it unless they are ONLY students

  • IF faculty are also students, they could be informed that they really should be going through the proxy but are currently filtered only.

Butte needs to set up a flyer for 10K incoming students (about this process to convey legitimacy of THIS proxy / Canvas process)

Concerns from Butte:  Ensure SSO is in place across the board.

Regarding the pre-seeding CCCID process that Butte is sending out to the students, make sure they have the correct URL (we confirmed this during our meeting)

Butte's message to students will go out by 8/15.  (Patty, Get copy of the message they are sending out.)

Matt Norris added that ES is working on a questionnaire which will include their custom URL (vanity url) (ask the OEI CSM has a list of vanity URLs)



Change Request Specifics

#

Issue/RequestResponse / SolutionResponsibleDeadline / Status
1Whitelist faculty and staff from being redirected to OpenCCC (from Proxy) when signing in to Canvas

Butte College and others have been whitelisted from the proxy for any session that sends over any EduPersonAffiliation attribute that is not strictly "student" (i.e., that includes - faculty, staff or member or any other value that is not ONLY student).

Butte College and others have been whitelisted from triggering the proxy for faculty, staff, member.

8/2 Note: Butte College will do another round of tests - to ensure the whitelisting is in place as expected. 

Currently, the following logic is in place:

  • Only students should ever see the proxy for the purpose of ensuring their CCCID is passed (seamlessly) to the endpoint/application
  • If a faculty/staff/member at a college is also a student - they are currently being filtered from the proxy BUT this is a temporary change until this process is finalized/approved and all colleges are informed.
Franz / Matt

DONE

COMPLETE

Zendesk #12988

In July, Canvas was whitelisted (does not redirect) for any EduPrimary Affiliation that was not strictly (only) STUDENT. 


3

Improve the language/messaging on the proxy Sign-In page that affirms that the OpenCCC and CCC ID mechanisms are legitimate. 

  • Revise/improve the message/ language on the proxy sign-in page for clarity and to legitimize the proxy re-direct
  • Add "OpenCCC" to Username & Password
  • Add language to clarify "why student is being redirected"
  • Add short video/screencast
  • Update language on the Sign-In page (i.e. "We know you might not be expecting this, but...", etc.). This can easily be accomplished by embedding a short (20-30 second) screencast video."




Proposed Solution:

Enhancements to the proxy sign-in page have been approved:

  • Update the language on the Sign-in page with new, dynamic text that displays the name of the destination application. Tim approved the following change:

    You're on your way to << CANVAS >> from <college>...

    To continue, please sign-in or create an account with OpenCCC, the California Community Colleges systemwide student account.


Solution Issues:

The Proxy can't differentiate between individual colleges (origin) if they're from a multi-college

Tim added to this design - "You're on your way to CANVAS from <<college>>"




IN-PROGRESS


  • Replace old "OpenCCC" logo with new "CO Brand" version and color
  • Update the font type and replace with new colors
  • Add "OpenCCC" to the Username & Password labels
  • Change the colors
  • Increase the font size on "Create a new account"



See the specifications below the screenshot in the next column:
  • Revise the "A Service of the..." text logo in the lower left hand corner with new font type and place all words on the same line
  • Fix the CCCCO text logo on one line and fix kerning (use new fonts and place all words on the same line)


For reference, this is the way it looks today (below):

Change to:  

A Service Of The
California Community Colleges Chancellor's Office

  • In the new font (per new 2018 CO Brand Guide) and ensure all words in CCCCO are on one line.  
  • The font size can be adjusted based on the fit of this requirement. 
  • All words in the text-based logo should each be capitalized. 



Improve the proxy workflow with better branding

  • Add college-branding 
  • Enhance/improve CO and CCCTC branding
  • Legitimize the endpoint application - add application branding
  • Use college sub-domain & URL mapper to legitimize the re-direct

Note: 

When a user goes to access an App like Canvas - then hit the Proxy - Proxy LOGIN - (CCCCO logo has little value to students)  - the page presented needs to confirm and legitimize the re-direct.

“You’re here because….”

Drop icons onto the OpenCCC Login page - (some kind of branding)

Make the following changes to the proxy workflow:

  • Using college MIS code, display proxy Sign-In page on a college-branded web page, similar to the college-branded CCCApply pages. Use all existing college-branded banners;

Solution Issues:

The Proxy can't differentiate between individual colleges (origin) if they're from a multi-college



IN-PROGRESS

Fix all proxy bugs and issues in Pilot and Production

Hotfix 1.9.1 - Rolled to Pilot 

Hotfix 1.9.2 - Pilot release 8.16.18 / Production 8.23.18 5pm TBD


IN-PROGRESS

Fix and deploy EPPN > CCCID API and other processes of getting colleges the CCCIDs created during proxy re-redirect

Implement a better way to implement the PROXY



PROXY improvement discussion with Josh on 6/21/18

  • Develop a service/process to get the CCCIDs into their system first
  • We need to come up with Something we can do to help the colleges get this data
  • Use the Download client to help store the CCCID into their Active Directory for new students


EPPN issues
6.2.0 fixes the CCCID duplication issue in Report Center
Bug ticket is open for this:  Also couldn’t filter by MIS code

  • EPPN Look-up (API) service is fixed now (check with Charles H.) note: This is in the Central Services (with Messages services, rules engine? Services that can be used by multiple projects)
    Increased the Dynamo DB parameter settings - in place
    and a software fix was made by Charles H. (if Dynamo gets overrun, will try again) - this one is not live yet.

Only tells us about mappings that already exist (pulls a list of CCCID to EPPNs)

A temp work-around fix was put into place by Infiniti so that State Center can pull down their mappings


EPPN/CCCID API 

problem with capacity (we weren't able to accommodate the counts (too many downloading)

EPPN Download Service

  1. Proxy account creation or recoveries from redirect to proxy - folks that have hit the the proxy and have to create or recovery. We grab their new account/CCCID and add to Dynamo table. - 
  2. Proxy pass throughsSome colleges are passing along and we catch it when they pass.  These are all stuck into the Dynamo DB table. 

(prod-eppn-map) - 

Suggestions from Matt in proxy meeting 8.02.18

Run something at the college (NOT the download process for applications) Franz to apply confluence page 

(short term work-around, Jay Owen, increased Dyamo db params to allow State Center to download EPPNs - with approval from Lou.  

Charles H. fix was more permanent - IF multiple colleges wanted to download EPPN mapping at the same time, even with the increased params there's a chance it could flood the Dynamo again. Increased error handling in the download service code. 




Replace the OpenCCC.net domain with .edu or .org (for legitimacy: .com and .net are all easy to obtain and commonly used in spoofing efforts

Patty discussed obtaining a .edu domain with Tim on 8/1.  This is not possible; only accredited institutions can obtain a .edu.  Any non-accredited institution that has one now was grandfathered in by EduCause.

Sub-domains using the URL-redirect can be implemented if needed

Patty / Franz

DECLINED

DECLINED .edu can't be obtained

PENDING sub-domain use


Gather data on Proxy usage

  • How many students have to create an account in the Proxy
  • How many students have to recover their account in the proxy
  • Log data needed - We need data
  • How many students just went through without being redirected - 

I have filed ZD-2850 to request that Infiniti make the Prod Proxy logs available in a S3 bucket so that I can download them and parse for this type of information.

I have also asked Infiniti for a dump of the prod eppn_mappings table to see if there is any useful info in there to help answer these questions (IADO-842).


IN-PROGRESS

Create and publish Proxy FAQs


Butte would link to this page for students

FAQs and Direct Account Link to create CCCIDs
Email campaign 

We need a marketing campaign on the Proxy - video tutorials, workflow diagrams, 

Matt - calls with the college before they go live with Canvas - go over all implementation details carefully, workflow requirements for students (provide link to the Direct Account Creation) - another message (why your student would see it)


NOT STARTED

Create Video Tutorial for "proxy redirect" to OpenCCC 

Video should demonstrate quickly and clearly:

If the OpenCCC proxy is triggered when you attempt to access a systemwide application, here's what happens and why.

Three options:




Proposed CHANGE Breakdown

Changes needed to the Sign-In UI

To change the Proxy UI - both the Proxy team and the Apply team need to do work, but OpenApply team would need to do the deployment

The proxy needs to send a parameter to OpenCCC to tell the page what to display.
The Apply needs to do the UI changes and deploy.  Deployment could happen with a rolling restart.(Old code won't be able to handle the new code, (Signature will be invalid.

Requirements:

Apply Jira ticket for the work
Zendesk ticket for the deployment 

Deployment:

Getting into Pilot would be a problem - so we'd have to go right to Prod if we make changes outside of the 6.2.0 release

Can't do RF test - they don't do branching/versioning of old code (due to complexity of our code since last prod/pilot releases)

Test in TEST environment (Vicky roll back to 6.1.0 branch maybe)


Problems with the Current Proxy - Design & Workflow

The Proxy can't differentiate between individual colleges (origin) if they're from a multi-college

Tim added to this design - "You're on your way to CANVAS from <<college>>"







Spam filter processing of multiple email address accounts. talk to Alejandro



Next Actions

Need a date that this or some version of this ^^ can be implemented for proxy flow

Need to work on the language for the sign-in page

Need to come up with two part solution for Butte:

  1. FAQ for proxy account creation process
  2. need changes made by X date for their comm campaign
  3. message with correct URL to the proxy account creation page

Butte will work with Matt Norris (via Dan Neal - who is heading out on paternity leave BTW) to retest the proxy whitelisting.  Need to schedule testing of what the proxy is whitelisting


Proposed Solutions for Long-Term Proxy UI/UX Enhancements





Better Short-Form Account Creation process

Use the college's attributes to pre-fill an account 

Alternate - Recovery process - 

Before we get 

Batch processing for New Accounts for colleges:


Use SuperGlue to bring back data to create an account 

  1. Improve the Sign-IN page language & branding
  2. Implement the non-redirect workflow - 







Talk to Tim:

Is/can we lift the requirement on colleges to go through proxy for Canvas until we figure out solutions for current issues?

Need a better way to message students about the Proxy and why it's important - Marketing campaign

Need a better proxy UI UX - legitimacy and user-friendly process

Need to show where they came from, where they are going, and why they landed here

Suggestions:

Bypass the proxy completely 

Don't trigger the proxy for students w/out CCCID, instead send the college an email or a report on every student/session that did not have CCCID included.


Since these are students already, have the college match up the student with OpenCCCApply download information (or report center) and prompt the student to create an account
sent the student the direct link to the "Proxy Create Account" site:  https://bcportalguard.butte.edu/_layouts/PG/login.aspx?ReturnUrl=%2Fsso%2Fgo.ashx%3FSAMLRequest%3DrVNBbtswEPyKwLtEU7FUh7ANuDGKCkhaI3Jy6CVYk7RFQCJV7rJNfl9ZjtsUBXwociJ2uDM7OyDnCF3by1Wkxt2b79EgJc9d61COFwsWg5Me0KJ00BmUpGS9uruVeTaRffDklW%252FZG8plBiCaQNY7llTrBXsqr%252FLiw%252F5a6P1VqZQuC1BClVpPp7oQOwEzIWZqel0IYMmjCTgwF2wQGuiI0VQOCRwN0ETM0sksFcU2z2Veykn5jSXrYRvrgEZWQ9Sj5Hyneh8I2kOEoLNdJDKZ0ZEjen7wGWDzzJLV2eeNdxg7E2oTflhlHu5v%252FygNjEwp1b30QE3mw4Gj7frWHGPgndexNVnf9Hys8XTmKSgc0buqFkKwZPMa4kfrtHWHy%252FntTk0oP2%252B3m3Tztd6y5fyoK8c8wvJ%252FvXWGQAPBEZzzt4rz0wv5Mnip1hvfWvWSfPKhA7ps9YhYne7HVkkBHFrjaMi2bf3Pm2CAzIJRiIbx85Ba%252BX5Y71y%252BPkgTqvU7Lva37hn7PZr%252F%252ByOWvwA%253D







Suggestions 

The Tech Center needs to be a better job of product marketing, placement, overall management of the proxy. 

Colleges need to understand that Faculty & Staff might need to be redirected to OpenCCC if they are truly students in some capacity. For now we can whitelist but ultimately, the proxy is doing what it's supposed to do - which is any "student" needs to have an account (CCCID) and that needs to be passed through to the endpoint (application).


Notes

From 8.02.18 meeting: 9+ colleges provided feedback to Dave Stephens on the use of the proxy - concerns about abandonment when they get to the proxy.  Most of the concerns and comments were made by staff and FACULTY, who have a strong voice in this process. 


Per Matt S.  - you can't really test 

Query their EduPerson Affiliation in AD to ensure they are passing the correct affiliation.  (typically testing isn't done correctly)
Every use case:

  • Student only
    Faculty only 
    Staff only
    Member only
    Faculty/staff only
    Faculty/staff/member only

Run a query and bring back all the different EduPerson Affiliations

Flag any that are multi-valued (staff + student) Matt S. could help by providing a Power-shell script

Effort to get this implemented in the upcoming release, a few files were changed (css file change, jss file, 

Making this a dynamic template would require a tiny bit more effort

But would require a proxy change as well - because the proxy needs to determine where they are going to, add param over to call this page.

This would require a Proxy hotfix and an OpenCCC Account hotfix 

Both are low risk, low effort  (Talk to Josh about the college co-branding effort - either adding a banner to the page or adding a Canvas, etc. logo to the page.)

Redesign the setup of the page?  This would be to highlight that most of the students who encounter the page are 

If the proxy side is setup to send that information - the Apply dev team could update that page in less than a day. 
Franz could 




Supporting Documentation

1) Update on status of the following OpenCCC enhancement requests (Donohue)

a. Removal and replacement of the .net domain (as .com and .net are all easy to obtain and commonly used in spoofing efforts).

b. Clearer language and/or imagery that affirms that the OpenCCC and CCC ID mechanisms are actually legitimate. (i.e. "We know you might not be expecting this, but...", etc.). This can easily be accomplished by embedding a short (20-30 second) screencast video. c. Consideration of custom subdomains per CCC point of origination in conjunction with (or w/o) #1 above (i.e. "butte.openccc.edu/idp/profile/SAML2/Redirect/SSO?execution=e4s1")



For Internal Use Only

Related JIRAs

OPENAPPLY-5638 - Getting issue details... STATUS