CCID & Passwords
-
Password Synchronization for Computer Lab and Library Computer Access
Introduction If a user with an active relationship is unable to log in to the computers in the libraries or a computer lab, this might be due to a recent configuration change for those two sets of computers that might require some users to resync their password before they can log in. This should be a one-time event for a certain subset of users which is currently shrinking, and this Knowledge Base article will be retired after a review determines that there are no more accounts in this unsynced state. Applicability Anyone who is having trouble logging in to lab or library computers. Details Computer lab and library computer access is restricted to those with an active relationship at the University of Alberta. This does not include alumni, or other former students and staff. If a user without an active relationship needs access to library resources, they can request a temporary Library Network Access ID through the University of Alberta Libraries. For users with an active relationship on campus, they should already be set up to log into computer labs and the libraries through their CCID. If they are unable to login, they can synchronize their password by visiting https://myccid.ualberta.ca/synchronize and filling in their CCID and password there.
-
Request to be added or removed as an Authorized Approver for a department
Introduction Authorized Approvers (AAs) are appointed by a department's Dean, Director, or Chair, and are responsible for creating and maintaining department secondary CCIDs and assisting staff in their department with CCID password resets of both primary and secondary CCIDs (in the event that the staff member is unable to reset the password on their own or through IST). Authorized Approvers may also perform other functions such as creating and maintaining Google Groups, creating Temporary Network Access IDs using the IIQ tool, and being IST's contact and escalation point for any CCID-related issues within their unit. These Authorized Approvers are also the people in the department who receive temporary passwords for new hires and Guests when they are added to PeopleSoft and a CCID is created for them. This article will describe how someone can request to become an Authorized Approver for their department or request that they or someone else in their department be removed from the list. Applicability This article was written for staff at the University of Alberta. Procedure 1. Have your department's Dean, Director or Chair fill out and sign the "Authorized Approver Signature Addendum" - depending on whether an AA is being added or removed. The form can be found here under the "Authorized Approvers" column on the right side of the "Peoplesoft Security Forms" page. 2. Once filled out, follow the instructions on the bottom of the form and email a scanned image of the completed form to aissecurityforms@ais.ualberta.ca. Other related forms including the one listed above can be found there as well. In particular, the "Authorized Approver Signature Form" is similar, but instead of making an addition or removal to the list of the department's Authorized Approvers, it fully replaces whoever the department has previously set as Authorized Approvers, with what is on the submitted form. Important: To gain access to the suite of Authorized Approver tools in IIQ mentioned in the introduction, the new Authorized Approver should then contact IST and request training from the Identity and Application Support team.
-
Log out of Single Sign-On
Introduction Single Sign-On (SSO) is a method of authentication where you use your Campus Computing Identification (CCID) and password to gain access to a number of different websites and services. With Single Sign-On, you only have to log in once, and you will have access to every supported service until you close your web browser. Some examples of these services at the University of Alberta include Bear Tracks and uAlberta Google Apps. Everyone who uses Single Sign-On needs to ensure that they have logged out of secure and confidential systems. While you should close your web browser completely, there is no guarantee that your CCID authentication will end unless you also sign out of each application and service you open. This article will provide instructions for doing closing browsers. Applicability This article is for students and staff at the University of Alberta who use Single Sign-On to access services, sites, and applications including Bear Tracks and UAlberta Google Apps. Procedure Using the logout or sign-out option will log you out of an application, but it may not log you out of the authentication system. You should also close your web browser completely. When using a public access computer, you may want to use a New Incognito Window or New Private Window (depending on the browser). These methods for opening a browser will forget all session information when you close the browser. You can do this by right-click on your browser icon choosing New Incognito Window or New Private Window. Here are instructions for closing some common web browsers. Operating System Web Browser How To Completely Exit Windows Firefox Press and hold the key combination Ctrl+Shift+Q Windows Google Chrome Click the three dots in the top right of the browser window and select Exit Windows Windows Edge Click the three dots in the top right of the browser window and select Close Microsoft Edge Mac Safari On the Safari menu bar select Quit Safari (shortcut key Command+Q) Mac Firefox On the Firefox menu bar select Quit (shortcut key Command+Q) Mac Google Chrome On the Chrome menu select Quit Google Chrome (shortcut key Command+Q)
-
Offboarding - CCID Suspension Requests
Introduction This article describes the procedure for offboarding a CCID when an employee is terminated, abruptly resigns, or is disrupted. For a standard offboarding, please use the CCID Offboarding Service Catalogue Request Form NOTE: This process is specific to University of Alberta CCIDs. It does NOT automatically include removal of domain access or local computer accounts. These generally are completed through the various department's standard procedures. If you want these accounts to be disabled at the same time as the CCID this MUST be specifically requested in the ticket. Applicability The article is intended for staff in both central and departmental Human Resource Services (HRS) roles. It is also applicable to CISO Information Security team, and may contain information of note for the Identity and Access Services and Endpoint Support teams. Policy or Process Steps for Human Resources Contact: Email abuse@ualberta.ca with the following information: Subject line: CCID Suspension Request CCID of employee being disrupted (or resigning) Employee ID of the employee being disrupted Department the individual works for Date and time the suspension is to occur This generally happens at the same time the individual's disruption meeting is taking place If this is an abrupt resignation, the time and date can be immediately - Please make this clear if this is the case NOTE: The CISO Information Security team does not always see the tickets in our queue immediately. For time-sensitive disruptions/resignations, please call us at 780-492-1390 at least 24 hours (if possible) before requesting the ticket be made a priority. CCID swap information: All former employees must have access to their T4 tax forms from the University. To facilitate this for former staff, IST performs a "CCID swap". This swap involves creating a new CCID and transferring all the Bear Tracks and People Soft information to the new account. The new CCID WILL have access to a UAlberta email address, but the inbox (and Google Drive) will be completely empty. They will not have access to the former department's Google Drive files. In cases of disruption/abrupt resignation/termination, we realize that there may be potential for abuse of a UAlberta email account. If you believe this situation may occur with a specific employee, we will not do the swap. In these cases, arrangements must be made for either central or departmental HRS to provide the employee with their tax forms at the start of the next year. IST does not have any involvement in this process. Confirmation of receipt of request & next steps: The CISO Information Security team will send you a confirmation of receipt as soon as we are able. If you have not received an email or a phone call within a few hours of submitting the request, we advise giving us a call (780-492-1390). Once the suspension has been processed by the Information Security team, we will send you a form to fill out with additional information. This form is required for us to complete the request. Please return it as soon as possible. Departmental access to former employee's accounts: All requests for access to former employee's accounts require an approval process be followed. Please visit the Requesting Access to Offboarded Accounts knowledge base article for the procedure. To make changes to the date or time please call us as soon as possible. We WILL do the CCID suspension at the time requested unless we hear from you.
-
Library Proxy Service Error
Introduction This article describes an error message in which a CCID is flagged as expired by the Libraries' Proxy Service. In addition to describing the symptoms and cause of the issue, a resolution is provided. Applicability This article is for use by all users with a valid CCID attempting to access Library resources. Symptoms You will experience multiple failed attempts to log in to any CCID protected service. You will experience the following error message when attempting to access the Libraries' Proxy Service: "The Libraries' Proxy Service, which is used to access licensed resources from off-campus, shows that your CCID was used simultaneously or within a short timeframe from multiple geographic locations. Your CCID Username and Password were logged into the Proxy Service from multiple locations as follows:" Cause You may receive this error if your CCID password requires a reset. This issue is generally created when you attempt to access the Libraries' Online Resources from multiple geographic locations within a restricted timeframe. It can be falsely triggered if you attempt to log-in while using a VPN service and then a local address OR if you attempt to log in from a location where access is restricted due to high levels of risk. The CCID password is expired by the system which forces you to change your password in order to log in again. Resolution Alternately, you may contact the Shared Services Staff Service Center to request assistance with resetting your password.
-
Find Your Student or Employee ID Number
Introduction This article will outline the different ways a Campus Computing ID (CCID) account holder can find their 7 digit unique ID number. Applicability This article will be useful for any CCID account holder that needs to find their U of A ID Number. Procedure You will need to provide your U of A ID Number when contacting Service Desks across campus. It is important that you know your U of A ID number! All CCID Account Holders On your ONEcard. You ID number is listed in the upper left hand corner. In your Bear Tracks Profile section. It is listed in the upper left hand corner beside ID. NOTE: You need to know your CCID and password to log in to Bear Tracks. If you do not know your CCID password, see the other methods listed in this article. Students OR Applicants On your Launchpad portal Status Page. Your ID number is listed near the top of the status page, right above your program information. Important: You will log in to Launchpad using the email address and password initially used to register your account. NOT your CCID and password. Contact the Student Service Centre. They can provide your ID number after verifying your identity. Faculty of Extension Students OR Applicants Your customer number will be listed on your fee receipts. This is your student ID number. Employees Check with your supervisor or HR representative. They will be able to provide you with your 7 digit ID number.
-
Fully Encrypt a Samsung Android Device
Introduction In some cases, Samsung Android devices may not be considered fully encrypted by the Duo Mobile app used for Multi-factor Authentication (MFA) or by mobile device management software even though encryption is enabled. This article provides information for Samsung Android device users looking to ensure their device is fully encrypted and meets encryption requirements. Applicability This article is intended for anyone who uses a Samsung Android 8 or newer mobile device. Samsung devices running Android 7 or older are unsupported, and should be updated or replaced if they are being used to access University data or accounts. The issue addressed in this article may apply to other Android devices that aren't considered encrypted and do not require a PIN/Password/Pattern on startup, however the steps to enable it may be different for other Android device manufacturers. Other Android device owners should refer to their device manufacturer for information on how to setup a PIN/Password/Pattern on startup. Procedure In order for a Samsung Android device to be fully encrypted, it must require a PIN, password, or pattern authentication ON STARTUP. This setting is referred to as Secure Startup or Strong Protection depending on the version of Android. If Secure Startup or Strong Protection is not enabled, these devices use a default password for encryption and aren't considered fully encrypted. Enabling Secure Startup or Strong Protection on your device will ensure your device is fully encrypted using a custom encryption PIN/Password/Pattern. Note that requiring a PIN/Pattern/Password/Biometrics on the lock screen is different from requiring a PIN/Pattern/Password on startup. It is possible to have a PIN/Pattern/Password enabled for the lock screen, while not have a PIN/Pattern/Password enabled on startup. Enable Secure Startup on Android 8/9/10 Samsung Devices On your mobile device open your Settings, tap on the magnifying glass search icon and search for Secure Startup On most Samsung devices you will find the Secure Startup setting under either the Biometrics and security or Lock Screen and Security menus Tap Secure Startup Change this setting to Require PIN when device powers on and select Apply NOTE: On some versions of Android this setting may be to require a pattern or password instead which is equivalent. Follow the on-screen instructions to set a PIN Enable Strong Protection on Android 11 Samsung Devices On your mobile device open your Settings, tap on the magnifying glass search icon and search for Strong Protection On Android 11 Samsung devices you will find Strong Protection setting under Biometrics and security > Other security settings Tap Strong Protection Toggle this setting to ON Follow the on-screen instructions to set a PIN Important! The PIN/Password/Pattern that you set will be required each time you reboot or startup your device. Make sure you do not forget this code! If further assistance is required, please contact IST.
-
UAlberta Login Consent Prompt
Introduction This article provides an overview of the consent prompt that is displayed when logging in to Canadian Access Federation (CAF) affiliated websites using the UAlberta Login Single-Sign-On service. Applicability This article applies to any U of A CCID holder that will be logging in to the CAF affiliated websites or resources. Details The University of Alberta is a member of the Canadian Access Federation (CAF). As a CAF member, a UAlberta CCID account holder may be able to access other CAF affiliated websites using the UAlberta Login Single-Sign-On system and their CCID credentials. When authenticating to a CAF affiliated site with UAlberta Login, a CCID account holder will be presented a prompt that displays what account information will be shared with the site and require the CCID holder’s consent to sharing this data with the site. If consent is not given, the account data will not be shared with the site and access to the site will not be granted. Consent to share this data is required each time a CCID account holder logs in to a CAF affiliated website. As the University of Alberta is no way in control of or affiliated with all CAF affiliated websites, beyond being a CAF member, the consent prompt was added to ensure that UAlberta CCID account holders are aware of the data being shared with these sites. It is the responsibility of the account holder to understand the privacy and security policies of the website they are authenticating to prior to consenting to sharing their data. Some CAF affiliated websites may restrict access to their sites based on a CCID account holder's affiliation to their institution (E.g. some sites may only be accessible to students). Having a UAlberta CCID account does not guarantee access to all CAF affiliated sites. What will you see when logging in to CAF affiliated websites? The screenshot below provides an example of the consent prompt that you may see when logging in to CAF affiliated websites. The consent prompt includes the following: A description of the consent required which will include the name or URL the website being accessed. Buttons to either agree to or decline sharing this information with the site User Information* Person’s principal name at home organization will appear as YOURCCID@ualberta.ca Display Name will appear as your first name Given Name will appear as your first name Surname will appear as as your last name Mail will appear as YOURCCID@ualberta.ca Affiliation at home organization may include values like Student/Faculty eduPersonTargetedID is a unique value that provides no specific information about you or your account but will be persistent every time you access a particular site. This allows a site to save your preferences without actually retaining any other specific information about you. *This user information is an example of what you may see, but is not inclusive. Other attributes that are not listed in this article may be requested by the website and listed in the consent prompt. If you have any questions regarding this article or it's contents, please contact IST.
-
UAlberta Login Attributes
Introduction This article will outline all the available attributes from UAlberta Login. Applicability Anyone configuring a service that will use UAlberta Login for authentication. Attributes UAlberta Login provides a number of attributes to a Service Provider (SP) when a users access the application. The attributes will only be provided when a user is redirected from the Identity Provider (IdP), UAlberta Login, to the SP they are accessing. Attributes will always be provided using the OID value rather than the friendly name for the attribute. If you would like to use the friendly name for the attribute in your application, you will need to ensure you have an appropriate attribute map so the SP software knows how to rename the OIDs. Default Attributes The default attributes will always be provided unless you request specific attributes to be sent to your SP. Attribute Name OID Example eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10 https://login.ualberta.ca/saml2/idp/metadata.php!https://sp.srv.ualberta.ca/shibboleth! b2661071653f8b9021344ddf17f9e005097edd22 This attribute is a pseudonymous identifier that is specific to each user and SP. givenName urn:oid:2.5.4.42 Jonathan This is the legal first name of the user. If you would rather use preferred name, look at the displayName attribute instead. sn urn:oid:2.5.4.4 Doe This is the legal last name of the user. There is no preferred last name available. uid urn:oid:0.9.2342.19200300.100.1.1 jdoe The Campus Computing ID. Additional Public Attributes These attributes are public data, but aren't provided by default. These attributes can be provided upon request. Attribute Name OID Example displayName urn:oid:2.16.840.1.113730.3.1.241 John Perferred name set in Bear Tracks eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 jdoe@ualberta.ca Scoped version of uid. Always CCID@ualberta.ca mail urn:oid:0.9.2342.19200300.100.1.3 jdoe@ualberta.ca The University provided email address. Always CCID@ualberta.ca Private Attributes These attributes are considered to be private data. If you require any of the following attributes, you must complete an IMS Interface Agreement. Please contact IST at ist@ualberta.ca. Attribute Name OID Example departmentNumber urn:oid:2.16.840.1.113730.3.1.2 000001 List of department numbers eduPersonAfilliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1 member;staff Afilliation to the University (not to be confused with RTI). Possible affiliations are: member, faculty, staff, student. eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 member@ualberta.ca;staff@ualberta.ca Exactly the same as eduPersonAfilliation, but with a scope of @ualberta.ca employeeNumber urn:oid:2.16.840.1.113730.3.1.3 1234567 Unique 7 digit identifier for each person. If the CCID is a department-owned secondary CCID, this will be populated with the departmentNumber the CCID is assigned to. institutionalIdentifier institutionalIdentifier UOFAB Institution of the person organizationalStatus urn:oid:0.9.2342.19200300.100.1.45 tamis;cona A list of statuses on the CCID. There are a number of possible values. uOfAAccountType urn:oid:1.3.6.1.4.1.11933.1.13 primary Indicates if a CCID is primary or secondary. uOfAOCCardID urn:oid:1.3.6.1.4.1.11933.8.3 111234567 ONECard ID uOfAOCProxID urn:oid:1.3.6.1.4.1.11933.8.6 01234 ONECard Prox ID uOfAOCSuffix urn:oid:1.3.6.1.4.1.11933.8.9 01 ONECard suffix uidNumber uidNumber 98765 5 digit unix ID tied to a CCID. Used in systems like AFS. uOfARTI uofarti EMP;SUP List of Relationships to the Institution.
-
Duo MFA Frequently Asked Questions (FAQ)
Introduction This article provides information on common questions regarding the University of Alberta’s Multi-factor Authentication service Duo MFA. Multi-factor Authentication (MFA) is a form of authentication that requires two or more verification methods to access a resource, application, online account, or a VPN. Applicability Duo MFA has been enabled for some services and some CCID holders within the University of Alberta domain. Eligible users will encounter a second authentication step to verify their identity when logging in to PeopleSoft, the Identity Management System, and other participating web based applications secured with Duo MFA, with more applications being added. This article is intended for anyone using or supporting Duo MFA. Duo MFA eligible users will receive email communications when their account is created. If you have not received any such emails, you are not eligible for Duo MFA at this time. Details Other Duo MFA Resources How to Enrol with Duo MFA How to Authenticate with Duo MFA FAQs What applications require me to authenticate with Duo MFA? Currently Duo MFA is required for PeopleSoft applications (Campus Solutions, Human Capital Management, Finance, and Bear Tracks), the Identity & Access Management (IAM) system, also known as IdentityIQ, the MyCCID website and some VPN and RDP contexts. Duo MFA will be required for Google Workspace apps (Gmail, Drive, Calendar, Docs, etc.) as of July 4th. In the future all VPN access will require Duo MFA, along with additional applications and services added over time. What kind of device can I use with Duo MFA? The University of Alberta implementation of Due MFA uses the Duo Mobile MFA app for multi factor authentication. You will need either an iOS 14.0 (or greater) or Android 10.0 (or greater) device that supports the Duo Mobile MFA app. See Installing the Duo Mobile MFA app on your mobile device for more information. Alternatively, you can request a Duo MFA fob, which will generate passcodes that allow you to log in. Please follow the instructions in your enrolment email to request a fob. I don't use my mobile phone to access Peoplesoft or for work, do I still need to install Duo Mobile MFA on my device? Your mobile device is used as an extra authentication method when you log in to a Duo MFA protected application from ANY computer or device. You will need a supported mobile device with the Duo Mobile MFA app installed on it or a Duo MFA fob to access U of A applications secured with Duo MFA. Why am I being asked to use Duo MFA to authenticate when logging in to Google Workspace Apps (Gmail, Drive, Calendar, etc), even though I've already done so within the past 14 days? When logging in to Google Workspace Apps, your security token is kept active for 14 days by default. However, you may be asked to authenticate again in certain circumstances: If you log in via a different web browser or device, you will need to authenticate again, as each browser/device keeps a separate token. If you use the top-right menu in Google to 'Sign out' of your account, your token will be cleared from the browser/device you were logged in on. Your browser/device may be configured to clear its cache automatically when you close it, which generally clears any tokens as well. This would force you to authenticate every time you reopen it. I don't have the "Send me a push" option in the Duo MFA web interface, and I don't have a passcode to log in with. This can happen if you didn't complete the Duo Mobile MFA app enrolment. For instructions on how to complete your device enrolment see How to Re-enrol Your Duo Mobile MFA App or contact IST. I temporarily don’t have access to the device I use with Duo MFA and can’t log in. Contact IST and request Duo MFA bypass codes. After verifying your identity, IST can provide you with codes that can be used to login to Duo MFA while you don't have access to your device. The device I use with Duo MFA was reset, lost, stolen, or replaced and I can’t log in, what should I do? Contact IST and request to have your device removed from your Duo account. Once your device(s) has been removed, you will be prompted to set up a device the next time you log in to a Duo MFA protected application. IST can also provide you passcodes which can be used to login until your device is replaced or fixed. I have stopped receiving push notifications in the Duo Mobile MFA app. Please follow the troubleshooting steps found here. If you are still not receiving notifications after following these steps, please refer to your devices manufacturer for support. I can’t find or I am not able to install the Duo Mobile MFA app from the App Store on my device. Duo Mobile MFA is available for iOS devices running iOS 14.0 and greater and Android devices running Android 10.0 and greater. If you do not see the app in your app store, or you get the message that your device doesn't support the app, then you can't use that device with Duo Mobile MFA. If you do not have access to a supported mobile device, we recommend that you speak with your manager about requesting a Duo MFA fob. See Installing the Duo Mobile MFA app on your mobile device for more information and direct links to the Duo Mobile MFA app in the app stores. I’m getting notifications in the Duo Mobile MFA app that my device or browser is out of date. Duo Mobile MFA helps keep your information secure by checking your software to ensure it’s up to date. In most cases Duo Mobile MFA should provide you with instructions on how to update your software, but if you have any questions or concerns please contact IST. I got locked out of Duo MFA from too many failed login attempts, what should I do? After 10 failed login attempts, your Duo MFA account will be locked for 10 minutes, after which you will be able to login again. If you continue to have issues logging in with Duo MFA, please contact IST. I thought my Samsung device was encrypted, but the Duo Mobile MFA app is saying that my device is not encrypted and I can’t use it with Duo MFA. For instructions on how to ensure your Samsung device is fully encrypted, see How to Fully Encrypt a Samsung Device.