Generic

Conceptual Design

Conceptual Design Discussion Parameters

The development of the conceptual design for offering UW NetID Services for the population at Cascadia Community College were development with the following objectives in mind.

1. Data Feeds

CCC will provide a "Cascadia person feed" representing CCC students, staff, and faculty. It is quite likely that the source data will originate from an extract already being made from the CIS system.
The Cascadia person feed will drive entitlement to UW NetIDs. UW/C&C will provide UW NetIDs to those currently entitled via the feed and eligibility policy.
Our goal is to never expose CCC PASSWORD/PAC, avoid technical complications of interfacing CCC asp/.net with UW C/unix/apache.
This approach means that UW never needs to know or handle the CCC password. The UW PAC would be the one shared secret. It does however; depend on 2-way feeds -- CCC Student info fed to UW and UW feeds CCC ID/UW PAC back to CCC.
Since UW PAC is one-time-use, it can't be used for a subsequent UW NetID create, even once it's floating around someone's browser.
The UW PAC approach could also be used for pwd changes. The student never needs to know their UW PAC, which expires two hours after it's first use, so it can be posted to several web pages.
The data will be stored in the Auxiliary Validation File = AVF. Those items that do not fit into this structure will be saved in a temporary data store for merging at a later time.

The Cascadia person feed will include:

CIS SID identifier
Street address?
CCC status?
CCC affiliation?
CCC will document the attribute values such that both parties can agree to common semantics for authorization purposes.
UW/C&C will accept the feed via some import process; exact method TBD.
UW/C&C and CCC must coordinate processes for handling exceptions, e.g.source identifier changes, database fixes, etc., all TBD.
Feed format, transport, security, frequency. TBD.

Cascadia Ccmmunity College (CCC) Status: for associate faculty (may be here Fall and Summer, but still need access in between). When they aren't on the payroll, they won't be in the feed. Our suggestion is to handle these exceptions with temp ids.

Staff records appear in feed the night of the day they went on payroll.
Student records appear in the feed when they're enrolled, changes a lot during first week or two of the quarter.

Initially, a discussion was held that required the UW to communicate directly with the CTC Office in Bellevue. However, after further discussion, the conceptual design was agreed upon as a more appropriate method. The design agreed upon would allow for a more seamless integration.

2. Private Access Code:

The Private Access Code (PAC) will be a single-use credential used during UW NetID creation. It will also have a short-term expiration perion
PAC-Free Sign-up Page - CCC creates a web-based service, authenticated by CIS SID and PIN, that posts user info and PAC directly into UW/C&C's UW NetID creation service
The method will require no end-user handling of PACs.
The initiation phase for Cascadia users is on a page that will be created and maintained by the Cascadia Community College.
Cascadia users will provide their account information and PAC. This action will trigger a verification against data from the Cascadia person feed to make an eligibility decision.
The services to be provided will include Kerberos principle and U forwarding.

3. "Create UW NetID" pages

Cascadia will provide a web-based "create your UW NetID" service for Cascadia users.4. UW NetID Password Change & Reset
Cascadia users will provide their account information and receive a PAC that can be used to create a UW NetID using the "create your UW NetID" service, which will verify the info against data from the Cascadia person feed to make an eligibility decision.
UW NetIDs created through this mechanism will be permanent; users will select their own UW NetID identifier (i.e., no more fixed format "ctcnnnn" string).
UW NetID services received will include a Kerberos principle and U forwarding service.
Cascadia users will be able to use the regular UW NetID "passwordchange" and "password reset" services, to change current passwords and reset forgotten passwords (by secret questions), respectively.
Cascadia users who have forgotten the answers to their secret questions and therefore cannot reset their password, can call UW/C&C during regular business hours, identify themselves, and get a new password.

Based on these parameters, the initial conceptual design diagram was developed on 12/6/04 and subsequently revised on 12/20/2004 by a portion fo the project team from UW and input from Cascadia Community College and UW Bothell. Using the following process, the diagram illustrates how the process works.

Process and Support

1. Feeds are established between Cascadia and the UW. This process must be completed in order for this design to begin to function.

2. The Cascadia Community College User uses a browser to view a web page developed and supported by Cascadia Community College. This user will be prompted to enter a Cascadia ID and Cascadia PAC. Support for this web page will be managed by the Student and Employee Help Desks at Cascadia.

3. If the combination is in the Cascadia database, the Cascadia ID and UW AVF PAC is posted to the UW NetID creation pages maintained by the UW Computing and Communications (C&C) group.

4. Completion of step 3 results in a UW NetID and password that is provided to the Cascadia Community College User and may be used for authorization to UW NetID and password protected services. Support for these web pages will be managed by the UW C&C Information group.

Cascadia Community College would support Cascadia users at the front end process. Once the users are within the "Create UW NetID process, the support will be handled by C&C Information.

Conceptual Design Review

It is proposed that we drop the use of Private Access Codes in the design and replace this with the use of Shibboleth. The use of Private Access Codes (PAC's) would unnecessarily complicate issues with the use of the PAC internally by external entities such as the Registrar's Office and Employee payroll coordinators. The pros and cons were listed and a design discussion will be held with Cascadia to firm up the design so that detailed design can proceed. This revision also eliminated one feed and allows the UW to build on the model of working with the community colleges in a similar fashion.

Pro

· No feed from the UW would be required for Cascadia Community College (CCC) to process

· No changes would have to made in the way Private Access Codes (PAC) are issued at the UW

· We have prior experience at working with North Seattle Central Community College to run a Shibboleth application on their campus.

· The PAC generation process based on the nightly feed would not have to be processed. The PAC generation process is currently an issue with other feeds and we know that this heavy processing load does not scale well.

· Assuming that CCC would want a single sign-on capability, Shibboleth could fill that role on the campus.

Con

· Cascadia Community Collete (CCC) would have to run a Shibboleth application, with technical support from the UW C&C staff

· CCC would have to run a Linux box.