TIER Campus Success Program Case Study
Colorado State University
Executive summary
Donors to Colorado State University (CSU) can track their donation history and download tax receipts from CSU’s Donor Connect Website. While this information is important to donors, their use is infrequent, and they often can’t remember their system created usernames and passwords. Providing the ability for them to log in with their social identities (Gmail, Facebook, LinkedIn, windows live, etc.) allows donors to connect using login credentials that they remember and transfers the liability and operations for managing and these login credentials from CSU to these social identity providers. This project, implemented with the help and support of the Internet2’s Trust and Identity for Education and Research (TIER), the InCommon Campus Success Program, and Cirrus Identity, provided the tools and resources for a successful launch of this technology.
Solution summary
This project was designed around CSU’s existing implementations of Shibboleth and Grouper. Along with these tools from Internet2, CSU implemented COmanage as an identity registry for external users along with a Social to SAML gateway and proxy service from Cirrus Identity.
TIER features supported
Shibboleth, Grouper, COmanage, Docker, and RabbitMQ
Collaborators
One of the keys to the success of this project has been the collaboration with the TIER Campus Success partners. We worked closely with many in the program, but specifically with the Working Groups for COmanage and Grouper, The University of Illinois (and the Big 10 Alliance), and Lafayette College. The TIER Campus Success Program face to face meetings were critical for collaborating, learning how the tools work, resolving issues, and simplifying processes.
Community resources
- TIER Packaging
- TIER Data Structures and APIs
- TIER Entity Registry
- TIER Component Architects
- TIER Ad Hoc Advisory Group
Architecture diagram and media resources
The architecture diagram below was implemented to support this project:
Jeff Ruch, CSU middleware developer presented this project during an InCommon working groups on April 18, 2018. This presentation was in conjunction with others and is titled “IAM Online; Managing Affiliate, Alumni, and Other Identities with Comanage.” It can be viewed at the IAM online YouTube channel.
The environment
Colorado State University is a public research university located in Fort Collins, Colorado. The university is the state’s land grant university, and the flagship university of the Colorado State University System.
The problem
As the donor database for the university grows, providing donors to CSU with a login that they can remember, and that CSU can support and maintain, was becoming a challenge. Creating logins using our campus system were short-lived, needing to be renewed every year, and the local credentials provided by the application were used infrequently, causing these donors to forget their username and password. This caused frustration for our donors and frequent support tickets for our staff.
The solution
Creating a solution that would allow donors to remember their login credentials, reduce support tickets, and transfer liability for protecting these credentials were the goals of this project. Having already implemented Shibboleth, CSU decided to add the Internet2 toolsets of Grouper, COmanage, and RabbitMQ to meet these goals.
Among several requirements for success, allowing donors to utilize their social login credentials was the main objective. Since donors have multiple social identities, this project also required account linking services so that donors could use any of their social identities along with their CSU login credentials if they were a faculty or staff member. All of this information is stored and linked together in the COmanage entity registry
This project also required software to do the social discovery and return a SAML insertion back to the service provider. For this solution we turned to Cirrus Identity and purchased their Social to SAML gateway along with their Proxy service, which allows us to use a single developer account across multiple services, so that multiple applications and service providers would receive the same unique identifier returned from the discovery service.
The result
Using this solution, CSU’s advancement department can now provide historical giving information and tax receipts to donors using their social identities and not have to worry about provisioning users or supporting identity information.
Initially launched with a just a few social identity providers, the success of this project has been a stepping stone to expanding this service to include account linking with internal CSU credentials and social identities including Google, Facebook, Linked In, Windows Live, Yahoo, Twitter, and other existing federations. By utilizing the Social to SAML gateway and Proxy service from Cirrus Identity, it allows CSU to appear as a single identity provider endpoint for all applications on campus. Without the Proxy service, each service appears as a separate endpoint.
With the success of this implementation and lessons learned we will soon be expanding this service to other applications on campus that have similar needs. The first is our FAMweb application where CSU Students invite their parents and/or guardians to view their student’s information. Learning to use COmanage’s invitation service and matching algorithms for our RAMweb project will be critical.
Secondly, these services soon expand to the CSU registrar’s office where alumni can access transcript and other records without having to remember, or update, their university login credentials.
Lessons learned
By implementing a proof of concept (POC) with a small population we masked several issues, most of which were related to data ingestion and provisioning. These issues did not pop up until we had more than 60 thousand users in the system. Had our POC included a larger population, we could have identified these issues earlier in the project.
We also learned that Social Identity providers use different unique identifiers based on the calling application’s developer account. We quickly realized the need to use a single developer account for all social requests regardless of the calling application. This led us to add the proxy service from Cirrus Identity to resolve the issue.
This project also provided valuable lessons in collaborating with others. Through the face to face meetings of the Campus Success Program (CSP) and involvement in the TIER working groups, we were able to uncover issues, share best practices, and as a result – implement this solution much faster that we could have done on our own.
We have also learned a few things that have changed our initial architecture. Here is the architecture map that will be in place by the end of 2018.
About Colorado State University
Founded in 1870 as the Colorado Agricultural College, Colorado State University is now among the nation’s leading research universities. Located in Fort Collins, Colorado, Colorado State University is a Carnegie R1 research institution with eight colleges, providing undergraduate and graduate degrees including the colleges of Agricultural Sciences, Business, Health and Human Sciences, Liberal Arts, Natural Sciences, Veterinary Medicine and Biomedical Sciences, Engineering, and Natural Resources.
Our world-class research in infectious disease, atmospheric science, clean energy technologies, environmental science, and biomedical technology attracts more than $300 million in research funding annually. Our professional programs in veterinary medicine, occupational therapy, journalism, agriculture, and construction management are ranked among the nation’s best.