Proxy Issues & Proposed Solutions

Several colleges who have implemented Canvas have raised concerns about the requirement to implement the proxy workflow and haven't chosen not to do so to avoid the challenges and frustration to their students, faculty, staff and IT.

To support the colleges that are not ready for Fall 2018: 

• Consider removing the requirement for Fall 2018 and allow the Tech Center and Enabling Services to (per Tim, this is not approved.)
  1) develop a business operations implementation checklist for colleges implementing Canvas (we need to include any other specific tasks related to other Apps & services as well including the new CCC Admin (CAP)
  2) Work with Sandoval's team to draft a consistent message and FAQ on the Proxy and CCCID
  3) Draft email comm to colleges with implementation plan and point to FAQ
  4) Plan & complete implementation with the colleges,
  5) improve the Proxy sign-in UI and workflow, and
  6) Long-term: Propose/develop an auto-fill Account process for existing students (Patty has started this plan, will paste link to details here._
  
  

Colleges need more information and options from the Tech Center on how to implement the proxy for Canvas. 

See below in this doc for:

• implementation plan suggestions
• Communication plan suggestions
• UI UX suggestions
• Project plan suggestions
• Deployment issues

Faculty and staff have complained that they are getting redirected to the proxy as well as students and it's catching them off guard. The college had not informed/trained staff and faculty, or the information wasn't understood by the college during IT integration.

Some colleges don't want to implement the proxy workflow this fall until better implementation support and training is provided by the Tech Center.

These are the colleges that we heard from:

• Antelope Valley College (Rick
• Butte College (Dave Stephens, Matt)
• Santa Rosa (Mitch Leahy, Don Webb)
• ES team working on full spreadsheet of all the colleges names

Overall, colleges do not understand the purpose of the SSO proxy: how it works, why it's important, and how it is related to OpenCCC (or CCCApply or the CCCID). 

Admissions & Records and IT seem to have an understanding of the systemwide CCCID, but in general, college faculty, staff, counselors, and even college/district leadership hasn't been exposed to the significance of the CCCID and how it's used to track student records across the CCC system over the lifetime of the student's educational journey. 

The Tech Center needs to develop a clear, consistent message about the significance of OpenCCC, the CCCID for all students, and the SSO Proxy --- providing information on the purpose, the requirements, the long-term goals and objectives of the systemwide ID for all students - AND outline the operations implementation plan & options; then communication to students and staff.

Outline process for communication to students about the OpenCCC Account and CCCID

Emphasize/differentiate how it's different from their college student ID and used for systemwide single sign-on and tracking across colleges and applications

***Andy's recommendation is for Patty to work with Enabling Services (David Quintanilla) to create a series of monthly webinars (similar to the success seen with MyPath and Glue webinars) that colleges could attend (or view recording) to continually reinforce Marketing message, and add system-wide awareness of the necessity and benefits of Proxy and the CCCID

Colleges that adopted OpenCCCApply years ago never stored the CCCID in their SIS, thus the processes are not in place to implement the full workflow process 

Produce a White Paper on OpenCCC and the Proxy

Create diagrams and implementation materials to show the full workflow, from incoming OpenCCC Accounts being downloaded via CCCApply, uploaded to SIS, imported to Active or common directory, passed via IdP attributes, stored in the proxy, and new accounts created via proxy returned to the college via available API.

(Andy - could we get approval to do a video tutorial on the Proxy?  Maybe we need two short ones?)

***Andy's recommendation is for Patty to work with Enabling Services (David Quintanilla) to create a series of monthly webinars (similar to the success seen with MyPath and Glue webinars) that colleges could attend (or view recording) to continually reinforce Marketing message, and add system-wide awareness of the necessity and benefits of Proxy and the CCCID

ES Action Items:  

1. Create or Update an ES Transition Plan for SSO Proxy Release 1.9.X (Integration & Implementation) (Keith K. to draft revision or new doc - using task list)
   1. Including Product Information and updates
   2. Implementation process and updates
   3. Strategic approach to adoption
2. Implementation Materials:  
   1. FAQ and/or white paper for CCCID, Account, Proxy
   2. Video Tutorial(s)
   3. Public Documentation space (add to CCCApply or create an OpenCCC space)
3. Data & Stats

Based on feedback from colleges, students perceive the proxy to be illegitimate ("Is this for real?"). It appears to be a phishing attempt or scam, and doesn't feel congruent to their expectation that they were on their way to Canvas from their college portal..

Tech/Dev Action Items:

Implement short-term improvements to the Proxy Sign-In page with better messaging, college branding, application branding, support for students with a video tutorial and a link to support. See UI Page enhancements below. 

***(Patty - we should add an expected time frame on the sign-in page explaining why they are there, how it benefits them, and how many seconds or minutes it will take them to get a CCCID.)

Colleges perceive the proxy as a barrier for their students

Provide colleges with information on importance of the CCCID and the SSO proxy;

Provide colleges with information and options to prevent the proxy from re-directing students, including ensuring IdP and common directory is passing the information required by the proxy.

Ensure every college has the URL to pre-seed student CCCID accounts in the proxy that the Proxy team has created. This process will give colleges another option to have students do this task outside of the Canvas workflow.

**Andy's recommendation is to also have the ES Deployment project include steps to insure that a pre-seed url is set up, and communicated prior to going live with canvas/proxy.

Faculty and staff perceive the proxy as a barrier for them - they are frustrated 

Provide the colleges with information on the importance of passing the correct attributes. 

In June, the Proxy team whitelisted Canvas, Starfish, and CAP to prevent faculty, staff from being re-directed to the proxy. This was done as a hotfix (1.9.1) - which will only re-direct users that have an EduPersonProfileAffiliation that includes STUDENT only.  If passing any other profile, the proxy will not re-direct.

** Patty - FYI - in the case of Butte College, many of their Staff also have the Student attribute since many of the staff take classes there. - Andy

Colleges need better training and support on the proxy web service and overall workflow. 

Right now we don't have "implementation" materials for colleges to help them communicate the proxy process internally or for students, and they don't have enough information on the full proxy workflow.

Improve the public documentation space for colleges with FAQs, video tutorials, support & training materials, and link to pre-seed student Accounts

***Andy's recommendation is for Patty to also work with Enabling Services (David Quintanilla) to create a series of monthly webinars (similar to the success seen with MyPath and Glue webinars) that colleges could attend (or view recording) to continually reinforce Marketing message, and add system-wide awareness of the necessity and benefits of Proxy and the CCCID

There is a comprehensive proxy integration process for IT and most of the colleges have completed that work; however there has not been a clearly prescribed implementation plan or support materials developed to help colleges educate administrators and staff, nor materials for students (clear instructions, help).   

Enabling Services does provide guidance and education during implementation, along with a sample email message that collages are encouraged to use as notification to end users prior to going live, although it's use is completely in the hands of the college IT team, and needs to insure coordination with Admissions office for proper and thorough pre-go-live communication across campus.  Enabling Services /wiki/spaces/ES/pages/363889056 resource page

Ensure that all CCC colleges (faculty, staff, Administrators, and students) understand the technical and business operations implementation requirements;

1. Tech Center (Enabling Services) needs to develop and document step-by-step implementation processes for colleges 
2. Develop workflow diagrams to help visualize the flow of data between the OpenCCC Account system at time of application to how they get the Proxy-account CCCIDs back to their systems
3. ES to make mandatory, that the college provide pre-seed URL AND distributed proper communication prior to going live.

Colleges that have integrated the proxy but aren't passing the CCCID because they haven't been storing the CCCID for their students since they implemented OpenCCCApply. 

Create a Business Operational Implementation Checklist

Communicate to faculty

Primary reason 

Downloaded into the DW and linked to all our the purposes of learning analytics for predictive modeling.

Enabling Services to communicate process and train faculty, staff, admin about the CCCID and the redirect workflow

Enabling Services to train and assist college IT on how, when, why to start downloading the CCCID, storing in their SIS, importing to Active Directory

Start passing the CCCID attribute in IdP metadata

Colleges can run a report in the Report Center collecting student information, CCCID and try to match up with college IDs;

Or colleges can prepare students for the proxy re-direct by communicating the process - legitimize the OpenCCC Account system and ensure they know it's legitimate;

Students that have created an OpenCCC account with CCCApply, can "recover" their account and enter in OpenCCC credentials on Proxy sign-in page. They only 

President of the faculty senate - to ensure they know what's going on. 

Work with Sandoval's team to create a comm plan, and Enabling Services for an outreach follow up.

Email colleges and link back to more information on implementation, training & support

Provide colleges with information about the Proxy and how it relates to and differs from the OpenCCC Account IdP.

Provide breakdown of implementation options and link to detailed checklists on Public Documentation/Implementation site:

• Implementation process for colleges that haven't been storing the CCCID for students (in other words, the college is not sending over the CCCID for any students, even if the student has an OpenCCC account);
  
  
• Implementation process for colleges that haven't informed staff, faculty or students on the purpose of the proxy, what students need to do, etc.  
  
  
• Implementation process for colleges that have a large number of non-credit or special populations that don't have CCCIDs

• The CCCID is now an MIS reporting requirement starting summer 2018
  
  
• All students must have a CCCID and the colleges need to store this data field in their SIS and common student directory so it can be passed in the college/district IdP for consumption by all systemwide applications and services;
  
  
• The CCCID facilitates single sign-on for students across CCC systemwide apps and services, but does not ensure SSO between CCC apps and college apps*

Emphasize / outline the proxy re-direct process - students have three options: 

When they get re-directed to the proxy sign-in page, they can:

1. Sign-in with their "OpenCCC" username and password credentials
2. Recover their account credentials by clicking "Forgot Username" or "Forgot Password" - then sign-in once the credentials are recovered
3. Create an account (emphasize this should only be done if they've never created an OpenCCC account before.
4. They only have to do this once - the proxy will store / remember their CCCID  
5. Colleges can obtain the CCCIDs created through the Proxy

Legitimize (redesign) proxy sign-in page

Improve the proxy sign-in page with revised message language, error message text, and other design changes to legitimize the service for students and colleges.

1. Update the CCCCO | OpenCCC brand/logo (span across the top of sign-in box)
   
   
2. Revise the onscreen text language to:
   "You're on your way to <Application> from <College Name, preferably, or District Name>.
   To continue, please sign in or create a new account with OpenCCC, the California Community Colleges system-wide student account.
   
   
3. Revise/enhance the error validation message in the red message box to:
   "We could not find that username/password. Please ensure you are entering your OpenCCC systemwide account credentials. Try again."  OR (Patty to work on two additional proposed messages).
   
   
4. Enter greyed out input field prompt text in Username field = "Enter OpenCCC Username"
5. Enter greyed out input field prompt text for Password field = "Enter OpenCCC Password"
   
   
6. Update the CCCCO text-based logo in the lower left of the Sign-In page with new approved colors, font, and put all four CCCCO words on the same line, to:
   
   A Service of the
   California Community Colleges Chancellor's Office
   
   
7. Update the "Sign In" box color to new approved font & color that matches the logo.
8. Update color and font of the hyperlinks in the footer to new approved font & color(s).
   
   

Does the Proxy sign-in Help page go to the OpenCCC Help page? are they the same?

Who owns that page?  

Are their any other options to provide a pop-up "Why am I here?"

Are the links in the footer the same as the OpenCCC links?

8.28.18 - Technical work underway to do the UI and the additional parameters needed to merge in the endpoint and the college/district IdP.  Trying to get this done in CI by Friday 8/31 (both ends). Still on target to release to prod on 9/28. 

OPENAPPLY-5638 will be the one Jira ticket referenced in this update.

Double check with ES team on the release version (1.9.3)

The UI sign-in for the proxy is in the OpenCCC code base - not in the proxy code base. (Does this warrant a full go/no go review?  Accessibility and security-wise?

The sign-in page messaging is confusing for the user; it's not clear what login credentials we are asking for. The student has just signed in to their college IdP and then immediately we are redirecting them to a second, different sign in page. The messaging lacks enough information to explain why the student is seeing the proxy sign-in page.

Notes per discussions with Butte College and Proxy team. 

8.24.18: This is included in  OPENAPPLY-5638 - Getting issue details... STATUS

As a compromise to making a bunch of onscreen text enhancements to differentiate between OpenCCC UN/PW creds vs. college account credentials - use the error validation message to guide students to enter their OpenCCC username and password.  (This is an alternate solution to modifying the prompt text "Username" and "Password".  

1. If the user enters incorrect UN and/or PW in the input fields, display error message that is more helpful to the user instead of "try again" or "your UN and PW do not align" etc. (see exmaples)
2. Enter greyed out prompt text in the UN and PW input fields: 
   1. "Enter OpenCCC Username"
   2. "Enter OpenCCC Password"

Objective: We are trying to help the student differentiate between their college IdP user account credentials and their OpenCCC account credentials.  

Implement College & App Branding on Sign-In page

The sign-in page lacks legitimate, recognizable branding to the user so they feel comfortable that the re-direct is legitimate and approved by the college, the CCCCO, and the application they are trying to access. 

As of 8/25/2018, there are 218,998 items in the Production eppn-map dynamoDb.  This should be representative of the  number of students that have passed through the Proxy.  As to how many went through recovery, I thought I had that logged in the proxy but I do not.  The best way to get a number for this is to look at the eppn-map in OpenCCC.  Per IADO-842, the last count (several weeks ago) that I got from Tom was 42,200 but we can't tell how many had to create a new account versus recover their account (I don't believe).  I'll be able to tell for sure when Tom gets me the full dump of that table that I have requested in that Jira.

Per Franz 8.27.18:  Asking Tom to Dump EPPN table to support data gathering.  The 42,2K includes everyone that didn't have a CCCID when they hit the proxy.  We just can't tell 

There's field in DB table that says "existing" - covers the sign-ins and recovers

Additional requested improvements to UI/UX

NOTE: This list was provided by Matt to ensure we have the same list (8.24.18)

1. college co-branding on OpenCCC page  (Approved to merge college name in 6.2.0)
2. update OpenCCC page language (Approved 6.2.0)
3. explanation video of redirect & CCCID requirement (Not approved for 6.2.0. Patty to work with Andy on separate support video and materials; not integrated onto Sign-In page as requested)
4. use college subdomain with Tech Center URL mapper (Not approved for 6.2.0)
5. use SAML attributes to pre-populate account information (Approved to propose a draft - not approved for 6.2.0)
6. batch process new OpenCCC accounts (Not approved for 6.2.0)
7. use SuperGlue to populate required user information & simplify account creation form (Approved to propose a draft - not approved for 6.2.0)
8. bypass proxy for account creation and send lists of users missing CCCID. (Not approved at this time).

Colleges are frustrated that students are re-directed to the proxy while on their way to their LMS or other system to work (canvas assignments for a course or program). Colleges want an optional workflow process that doesn't interrupt the user experience, such as accessing their LMS or other application 

8.24.18: Approved as one of the items included in the business ops implementation plan and communication to colleges. This will give the colleges an option that's clean and easy.

Incorporate the alternative process to have students go directly to the Proxy Account Sign-In page outside of the existing workflow that triggers the proxy when en route to an application.  

This process was created by Matt & Franz to provide a college-specific URL that can be provided to the colleges that want to bypass the hassle of having students encounter the proxy en route to Canvas, and have them use the link to go directly to the account creation process/Sign In page. 

(8.24.18: The suggestions below are Not approved for 6.2.0.)

1. Proposed workflow change: Instead of triggering the proxy re-direct, send email to the college for each user who doesn't pass a CCCID (store EPPN and pass back to college in weekly report?) or send email and have college run a report in the Report Center.
   
   
2. Proposed workflow change option:  Implement feature that would allow the student to skip signing in or creating an account up to X number of times and alert the college. On the ? time, don't allow the user to skip signing in or creating an account.

Many colleges don't know how to get the CCCIDs created during proxy re-direct back into their SIS or common directory systems.  Better, comprehensive Information needs to be provided to colleges about the EPPN>CCCID API process. 

Need to continue to investigate solutions to this concern. 
A fix to the current EPPN>CCCID API and reports are included in the upcoming Proxy release 1.9.2. 

1. We need to ensure our wholistic process and ensure colleges know how to implement the API and how to run the report in the CCCApply Report Center. 
2. Ensure all colleges have information about the EPPN > CCCID API and the Report Center EPPN Matching report.

For future release:
Implement enhancements to the EPPN > CCCID API to pass colleges all Account data 

To streamline the proxy workflow, colleges want an auto-populated "short-form" OpenCCC Account creation process for students who are already students at a college but don't have a CCCID.   

Rationale:

Students triggering the proxy are already students at one or more colleges. The college has information about the student already that could be used to auto-populate an OpenCCC Account; thus significantly reducing the inconvenience to the student to have to create an account that they believe they already have (that being their "college" account) and question legitimacy on.  

Instead of having the student complete the full OpenCCC account when they are redirected during proxy workflow, auto-fill  Account fields with data passed from college and prompt for minimal required information, such as Username (which could also be their personal Email address), Password, Birthdate, and ONE security question.

Proposed: Develop and implement an auto-populated shorter version of the full OpenCCC Account application, which only requires minimum fields for account creation. 

(8.24.18: Not approved for 6.2.0.  Approved to propose a draft for future enhancement).

Develop functionality to auto-fill OpenCCC account with data from the colleges IdP. College metadata could be expanded to send additional attributes that could be used for pre-population in existing Account app, such as: 

1. Proxy account could be very streamlined - collecting only:
   1. Username (personal email address)
   2. Password 
   3. Birthdate
2. Proxy account could use auto-fill from attributes passed by the college's metadata 
   1. EPPN 
   2. First + Last Name
   3. Street address
   4. City & Postal Code

CCCID is created and stored in proxy, and passed back to college via EPPN API. 

Colleges are frustrated that we don't offer an easy way for bulk assignment of CCCID numbers to non-credit or special needs students (Adult Ed, Inmates, special K12 programs, and non-credit students). 

Colleges want to provide the Tech Center with a spreadsheet of account data and get back bulk-assigned CCCID assignment process

8.24.18:  Not approved at this time. Leadership is still opposed to offering bulk assignment option to colleges. 

TBD - proposed solutions have previously been declined however the requests from colleges have escalated. 

Overall, colleges and students see the OpenCCC Account Creation process, especially when asked during proxy re-direct, as redundant, unnecessary, and intrusive; especially when the user is already a student at one or more colleges and has already provided most, if not all, of the information requested in Account to the college already when they applied, enrolled, registered, etc.

The answer to these concerns is to improve our communication to the colleges, improve our business operations implementation process, and ensure the colleges understand and are complying with the requirement to store the CCCIDs in their SIS and common directory so they can pass via IdP metadata.

This also applies to the information the colleges and the Tech Center is providing to Students on what the proxy is, why it's important, and demystify the process. 

Students are put off by the questions, especially SSN, Birthdate, address, phone, email, etc.

These are the same issues we've been hearing from students since the initial implementation of OpenCCC.  We need to do a better job of communicating the need and significance of the "systemwide student ID" to support students across their academic journey in the CCC.

Need to update our list of BENEFITS of the OpenCCC Account.  

Current Implementation Process

Template message is being sent to IT to share with faculty, staff, and students (sending to IT)

It is very unclear whether the SSO proxy is a product or a required technology component or simply a technical system requirement. 

8.24.18: Patty to set meeting with Jennifer and Tim to discuss the SSO Proxy project moving forward. 
(Patty - please invite Andy to this if possible)

Draft a charter with proposed business requirements for enhancements and ongoing maintenance.

Currently the SSO proxy does not have a project charter, project plan, business requirements, or roadmap; thus making it extremely difficult for continuous improvement and supporting our colleges.

Currently, the Proxy is developed by the Unicon IAM team, including UI changes, but deployment is tied to the OpenCCC Account (as well as CCCApply)