Overview
As part of the CCC SSO initiative, a centralized proxy service has been deployed through which secure CCC web applications can centralize authentication requests for students and staff across all CCC colleges. The Proxy then contacts the appropriate "read IDP, such as the OpenCCC IDP system" to complete requests. The goal of this design is to siimplify and accelerate system-wide technology adoption and provide uniform experiences for key users.
The CCC IDP Proxy serves two main functions, the first is to include CCCID as an assertion when the college IDPs are unable to assert the CCCID from their user store. The second is to aid in the discovery process when navigating across service providers in separate domains.
Technically speaking, the CCC IDP Proxy is designed to help colleges assert consistent SAML attributes to the various Service Providers (SP) within the CCC SSO Federation of secure web applications..
Use Cases
The primary use case is to facilitate locating and sending the student's CCCID SAML attribute when a college does not have that information for their student. If the Proxy discovers that the student's CCCID SAML attribute is not present when attempting to authenticate to a particular CCC web application, it will attempt to find the CCCID associated with the IDPs unique identifier (EPPN) for the student.
If a CCCID is not found, the student will be redirected to the OpenCCC IDP to either recover or create a new OpenCCC account. Once the account is recovered or created, the CCCID will be cross-referenced to the student's EPPN so that the next time the student attempts to enter the CCC Federation from their college IDP, the proxy will be find the students CCCID and add it to the SAML attributes presented to the intended CCC Federation service providers.
Before You Begin
Before your college can connect to the CCC SSO, a set of minimum requriements for integration with the IdP Proxy must be met.
Setting Up Test Environment
The IdP Proxy and supporting components are currently operating in four environments: Continuous Integrated (CI) supporting development activities; TEST, an internal environment for development testing; PILOT, for early production stage proof of operations; and PROD, the production environment used by students and staff.
In order to complete the integration process and facilitate ongoing testing, colleges must stand up a testing environment to ensure their IdP solution is able to authenticate with the Proxy and CCC applications.
The college test environment will access the CCC's PILOT environment for the Proxy and various applications.
Integrating with the CCC IDP Proxy
- Steps to Integrate with the CCC IdP Proxy
- Attributes for the Proxy: Shibboleth
- Attributes for the Proxy: Portal Guard
- Attributes for the Proxy: Ellucian
- CCC Attributes for Federated Access
Connecting to the Proxy
Connecting to the Proxy From Any Secure CCC Application
When your college is ready to integrate with the Proxy, the following tasks must be completed regardless of which CCC application you are implementing:
Connecting to the Proxy from Canvas
In addition to the question of how Unicon will be able to support a critical cog in the CCC infrastructure on a 7x24 basis with very high, e.g. 99.999% availability, several “bigger picture” questions have been raised, primarily by Unicon’s Mike Grady. Mike is an architect in Unicon’s IAM practice with broad experience deploying IAM solutions to higher ed institutions, including federated identity.