Introduction This article provides information on Student Group CCIDs such as how to request and manage a Student Group’s CCID. Applicability This applies to registered Student Groups and their official executive roster. Details Other Student Group Resources Student Group Services website BearsDen Before You Begin Your Student Group may only have 1 Student Group CCID. Your Student Group must be registered with Student Group Services and listed on BearsDen. New Student Group CCIDs can only be requested by a group’s primary contact or executive as per the group’s official group roster on BearsDen. Important! If your Student Group is not publicly listed on BearsDen, i.e. registration with Student Group Services is not fully completed, IST cannot issue you a CCID or reset its password. Make sure your BearsDen group page is set up correctly. For an executive to be validated so they can use any of the Student Group CCID forms below, they have to be publicly visible at least to logged in members or we cannot see and validate you. For a primary contact to be validated, they have to be an actual student and NOT the actual Student Group secondary CCID itself. The forms below need to be filled in by someone logging in to the service catalogue on their primary CCID, and not on the Student Group CCID. The Student Group should collectively decide who should request a Student Group CCID, as the person requesting the CCID will be assigned administrative ownership of the CCID and will be responsible for the CCID’s administrative tasks outlined in this article. If your group is not registered with Student Groups Services or your Student Group CCIDs are sponsored by a specific department, you should talk to your department contact for any Student Group CCID related matters instead.. Requesting a Student Group CCID A Student Group’s executive or primary contact can request a CCID for their Student Group using the New CCID for Student Group form in our service catalogue. If your group already has a CCID, you may not request another. Renewing a Student Group CCID Student Group CCIDs will have an expiration date of 1 year from the date they are created. The person requesting the CCID will be assigned administrative ownership of the CCID and be the person responsible for the annual renewal of the CCID. The administrative owner will get an email 30 days prior to its expiration date. This email will include a link to a work item in our identity management system where they can renew the CCID by simply clicking the “Renew CCID” button in the linked work item. Important! If a CCID is not renewed, access to it will be revoked on its expiration date, and all data therein will be permanently deleted 30 days after its expiration date. It is important to action the renewal emails as soon as possible. If access to the account is lost due to it not being renewed, see the "Regaining access to a Student Group CCID" section below. Tip! If the CCID and its data is no longer required, the work item will also have a button to delete the CCID. Managing access to your Student Group CCID As the CCID is issued to a student group, multiple people may need access, it is recommended that access is provided using mailbox delegation. Only one group member should have access to the actual CCID password. Changing Ownership of a Student Group CCID The administrative owner of a Student Group CCID should always be a group’s primary contact or executive as per the group’s official group roster on BearsDen. If the current administrative owner is leaving the group or no longer associated with the group, this ownership needs to be transferred to someone who is. This is the responsibility of the outgoing executive team to do, but if that is forgotten, then the incoming executive team can also fill in the form below to get the CCID transferred to them. To change the administrative ownership of a Student Group CCID, the CCID's owner or the Student Group's executive or primary contact can complete and submit the CCID Ownership Transfer for a Student Group form. Tip! If you are unaware of who the current owner is, just leave that field blank. Regaining access to a Student Group CCID If the password for a student group CCID has been forgotten, a group’s primary contact or executive as per the official group roster in BearsDen can request a password reset using the CCID Student Group Password Reset form in our service catalogue. Important! If no one on the current executive team remembers changing ownership via the CCID Ownership transfer form, and access to the account is now lost, then this most likely means the account has expired. If it is still in the 30-day window immediately following the CCID expiry, we can still retrieve the account and grant it to the new executive team. To get started on that process, fill in the CCID Ownership Transfer for a Student Group form. Tip! If you are unaware of who the current owner is, just leave that field blank. After the 30 day time period immediately following account expiration, the account will be automatically and irrevocably deleted and we will no longer be able to retrieve any data from it. Requesting additional email addresses (aliases) for a Student Group CCID You can request an email alias from the MyCCID Email Aliases page when logged in with the Student Group CCID. Please note the email alias must be over 8 characters long or contain a period and must represent your Student Group in some way. Ex. groupname.treasurer@ualberta.ca Still need help? Please contact the Shared Services Staff Service Center.

Introduction This article contains links to information regarding the CCID offboarding of university employees.  Applicability This article is intended for Human Resources staff, CCID Authorized Approvers, or supervisors looking for guidelines on how to manage the CCID of an outgoing employee. Details This article has been replaced with the CCID Off-Boarding and Related Administration reference guide. You can find this reference guide here, or by navigating to EDRMS and searching for “CCID off-boarding”. Please note: A valid, active employee role is needed to view this document. For Step 1 of the "CCID Process for employees who are resigning, retiring, or leaving the University by mutual agreement" section of the above document, the HR partner, CCID Authorized Approver, or supervisor should fill in this form here for the quickest processing times. Please note that this is only to be used for AMICABLE departures. Refer to the document above for all other situations.

Introduction This article will outline how to enrol and manage your Campus Computing ID (CCID) Self Service Password Reset (SSPR) methods such as an alternate email account and/or mobile phone number.    Applicability This article will be useful for students, applicants and staff who need to enrol for Self Service Password Resets (SSPR) or change their reset methods.   Procedure Having an up-to-date Self Service Password Reset method allows you to reset a forgotten CCID password on your own time, whenever you need it. When first enroling in the Self Service Password Reset tool you will be asked to assign an alternate email address (not tied to your CCID) and/or mobile phone number that will be used for verification purposes in the event you forget your password. If you forget your password, these reset methods will be sent verification codes that you will use in the password reset process. Once a self service reset method has been enroled, you can change it at any time. The instructions below provide information on how to enrol, verify, change, and delete a password reset method. Prerequisites: You must know your CCID and Password. If you don't know your CCID password you cannot enrol in Self Service Password Resets or edit your reset methods, If using email as a reset method, you must enrol with an ALTERNATE email account that you have access to. This can be any other email account you have access to such as Gmail or Hotmail; AND/OR, If using a mobile phone number as a reset method, you must use a mobile phone number you own and have access to. How to enrol reset methods for Self Service Password Resets Go to https://myccid.ualberta.ca/ to get started. Select Enrol Now on the homepage OR Self Service Password Reset Management under the Profile Manager menu. Note: You may need to login to the UAlberta Login page with your CCID and password if you haven’t already. Click on the Add button in either the Email Reset Option or Mobile Phone Reset Option field. In the Update Reset Option window, enter your preferred reset option, your CCID password, and select UPDATE. Important! A Verification Code will be sent to the entered reset option. It is needed for the next step. In the Verify Reset Option window, enter the verification code from step 4 in the Verification Code field, and select UPDATE. NOTE! Verification codes expire in 1 hour. If your code is lost or expired, you can resend a code using the RESEND button on the Verify page.  Ensure the Status field shows as Verified for the appropriate reset option. How to change or delete your password reset methods for Self Service Password Resets Go to https://myccid.ualberta.ca/ to get started. Select Enrol Now on the homepage OR Self Service Password Reset Management under the Profile Manager menu. Note: You may need to login to the UAlberta Login page with your CCID and password if you haven’t already. Click on the Edit or Delete button in either the Email Reset Option or Mobile Phone Reset Option field. Follow the on screen prompts. When editing a reset option, it will need be verified following the same steps as enroling for Self Service Password Resets. Renewing Your Self Service Password Reset Methods Your reset options will expire 1 year after you entered them. When they have expired you will be prompted to renew them when logging in to UAlberta Log In. To renew your reset option(s), simply click on the link in the prompt and click on the Renew button beside your verification option and follow the prompts.  Additional Verification Information If you do not complete the verification while adding the reset option, the Status for that reset option will show as Unverified. You can access the Verify Reset Option page at any time by clicking the Enter Verification Code button in the appropriate Reset Option section or by following the link in the message containing the verification code. If your code is lost or does not work, you can resend a code using the RESEND button on the Verify Reset Option page. Verification codes expire in 1 hour.   If you have any questions or issues setting up your Self Service Password Reset methods, please contact Information Services & Technology.

Introduction Authorized Approvers (AAs) are appointed by a department's Dean, Director, or Chair, and are responsible for creating and maintaining department secondary CCIDs and assisting staff in their department with CCID password resets of both primary and secondary CCIDs (in the event that the staff member is unable to reset the password on their own or through IST). Authorized Approvers may also perform other functions such as creating and maintaining Google Groups, creating Temporary Network Access IDs using the IIQ tool, and being IST's contact and escalation point for any CCID-related issues within their unit. These Authorized Approvers are also the people in the department who receive temporary passwords for new hires and Guests when they are added to PeopleSoft and a CCID is created for them. This article will describe how someone can request to become an Authorized Approver for their department or request that they or someone else in their department be removed from the list.   Applicability This article was written for staff at the University of Alberta.   Procedure 1. Have your department's Dean, Director or Chair fill out and sign the "Authorized Approver Signature Addendum" - depending on whether an AA is being added or removed. The form can be found here under the "Authorized Approvers" column on the right side of the "Peoplesoft Security Forms" page. 2. Once filled out, follow the instructions on the bottom of the form and email a scanned image of the completed form to aissecurityforms@ais.ualberta.ca. Other related forms including the one listed above can be found there as well. In particular, the "Authorized Approver Signature Form" is similar, but instead of making an addition or removal to the list of the department's Authorized Approvers, it fully replaces whoever the department has previously set as Authorized Approvers, with what is on the submitted form. Important: To gain access to the suite of Authorized Approver tools in IIQ mentioned in the introduction, the new Authorized Approver should then contact IST and request training from the Identity and Application Support team.

Introduction Single Sign-On (SSO) is a method of authentication where you use your Campus Computing Identification (CCID) and password to gain access to a number of different websites and services. With Single Sign-On, you only have to log in once, and you will have access to every supported service until you close your web browser. Some examples of these services at the University of Alberta include Bear Tracks and uAlberta Google Apps. Everyone who uses Single Sign-On needs to ensure that they have logged out of secure and confidential systems.   While you should close your web browser completely, there is no guarantee that your CCID authentication will end unless you also sign out of each application and service you open.     This article will provide instructions for doing closing browsers.   Applicability    This article is for students and staff at the University of Alberta who use Single Sign-On to access services, sites, and applications including Bear Tracks and UAlberta Google Apps.   Procedure Using the logout or sign-out option will log you out of an application, but it may not log you out of the authentication system. You should also close your web browser completely. When using a public access computer, you may want to use a New Incognito Window or New Private Window (depending on the browser). These methods for opening a browser will forget all session information when you close the browser. You can do this by right-click on your browser icon choosing New Incognito Window or New Private Window. Here are instructions for closing some common web browsers. Operating System  Web Browser  How To Completely Exit  Windows Firefox Press and hold the key combination Ctrl+Shift+Q Windows Google Chrome  Click the three dots in the top right of the browser window and select Exit Windows Windows Edge Click the three dots in the top right of the browser window and select Close Microsoft Edge Mac  Safari  On the Safari menu bar select Quit Safari (shortcut key Command+Q) Mac Firefox  On the Firefox menu bar select Quit (shortcut key Command+Q) Mac  Google Chrome  On the Chrome menu select Quit Google Chrome (shortcut key Command+Q)

Introduction This article describes the procedure for offboarding a CCID when an employee is terminated, abruptly resigns, or is disrupted.  For a standard offboarding, please use the CCID Offboarding Service Catalogue Request Form NOTE: This process is specific to University of Alberta CCIDs.  It does NOT automatically include removal of domain access or local computer accounts. These generally are completed through the various department's standard procedures. If you want these accounts to be disabled at the same time as the CCID this MUST be specifically requested in the ticket.   Applicability The article is intended for staff in both central and departmental Human Resource Services (HRS) roles. It is also applicable to CISO Information Security team, and may contain information of note for the Identity and Access Services and Endpoint Support teams.   Policy or Process Steps for Human Resources Contact: Email abuse@ualberta.ca with the following information: Subject line: CCID Suspension Request CCID of employee being disrupted (or resigning) Employee ID of the employee being disrupted Department the individual works for Date and time the suspension is to occur This generally happens at the same time the individual's disruption meeting is taking place If this is an abrupt resignation, the time and date can be immediately - Please make this clear if this is the case NOTE:  The CISO Information Security team does not always see the tickets in our queue immediately. For time-sensitive disruptions/resignations, please call us at 780-492-1390 at least 24 hours (if possible) before requesting the ticket be made a priority.  CCID swap information: All former employees must have access to their T4 tax forms from the University. To facilitate this for former staff, IST performs a "CCID swap". This swap involves creating a new CCID and transferring all the Bear Tracks and People Soft information to the new account. The new CCID WILL have access to a UAlberta email address, but the inbox (and Google Drive) will be completely empty. They will not have access to the former department's Google Drive files. In cases of disruption/abrupt resignation/termination, we realize that there may be potential for abuse of a UAlberta email account. If you believe this situation may occur with a specific employee, we will not do the swap. In these cases, arrangements must be made for either central or departmental HRS to provide the employee with their tax forms at the start of the next year. IST does not have any involvement in this process.   Confirmation of receipt of request & next steps: The CISO Information Security team will send you a confirmation of receipt as soon as we are able. If you have not received an email or a phone call within a few hours of submitting the request, we advise giving us a call (780-492-1390). Once the suspension has been processed by the Information Security team, we will send you a form to fill out with additional information. This form is required for us to complete the request. Please return it as soon as possible.   Departmental access to former employee's accounts: All requests for access to former employee's accounts require an approval process be followed. Please visit the Requesting Access to Offboarded Accounts knowledge base article for the procedure.   To make changes to the date or time please call us as soon as possible. We WILL do the CCID suspension at the time requested unless we hear from you.   

Introduction This article describes an error message in which a CCID is flagged as expired by the Libraries' Proxy Service. In addition to describing the symptoms and cause of the issue, a resolution is provided.   Applicability This article is for use by all users with a valid CCID attempting to access Library resources.    Symptoms You will experience multiple failed attempts to log in to any CCID protected service. You will experience the following error message when attempting to access the Libraries' Proxy Service: "The Libraries' Proxy Service, which is used to access licensed resources from off-campus, shows that your CCID was used simultaneously or within a short timeframe from multiple geographic locations. Your CCID Username and Password were logged into the Proxy Service from multiple locations as follows:"   Cause You may receive this error if your CCID password requires a reset. This issue is generally created when you attempt to access the Libraries' Online Resources from multiple geographic locations within a restricted timeframe. It can be falsely triggered if you attempt to log-in while using a VPN service and then a local address OR if you attempt to log in from a location where access is restricted due to high levels of risk. The CCID password is expired by the system which forces you to change your password in order to log in again.    Resolution Alternately, you may contact the Shared Services Staff Service Center to request assistance with resetting your password.

Introduction In some cases, Samsung Android devices may not be considered fully encrypted by the Duo Mobile app used for Multi-factor Authentication (MFA) or by mobile device management software even though encryption is enabled. This article provides information for Samsung Android device users looking to ensure their device is fully encrypted and meets encryption requirements.  Applicability This article is intended for anyone who uses a Samsung Android 8 or newer mobile device. Samsung devices running Android 7 or older are unsupported, and should be updated or replaced if they are being used to access University data or accounts. The issue addressed in this article may apply to other Android devices that aren't considered encrypted and do not require a PIN/Password/Pattern on startup, however the steps to enable it may be different for other Android device manufacturers. Other Android device owners should refer to their device manufacturer for information on how to setup a PIN/Password/Pattern on startup. Procedure In order for a Samsung Android device to be fully encrypted, it must require a PIN, password, or pattern authentication ON STARTUP. This setting is referred to as Secure Startup or Strong Protection depending on the version of Android. If Secure Startup or Strong Protection is not enabled, these devices use a default password for encryption and aren't considered fully encrypted. Enabling Secure Startup or Strong Protection on your device will ensure your device is fully encrypted using a custom encryption PIN/Password/Pattern. Note that requiring a PIN/Pattern/Password/Biometrics on the lock screen is different from requiring a PIN/Pattern/Password on startup. It is possible to have a PIN/Pattern/Password enabled for the lock screen, while not have a PIN/Pattern/Password enabled on startup.   Enable Secure Startup on Android 8/9/10 Samsung Devices On your mobile device open your Settings, tap on the magnifying glass search icon and search for Secure Startup On most Samsung devices you will find the Secure Startup setting under either the Biometrics and security or Lock Screen and Security menus Tap Secure Startup Change this setting to Require PIN when device powers on and select Apply NOTE: On some versions of Android this setting may be to require a pattern or password instead which is equivalent. Follow the on-screen instructions to set a PIN Enable Strong Protection on Android 11 Samsung Devices On your mobile device open your Settings, tap on the magnifying glass search icon and search for Strong Protection On Android 11 Samsung devices you will find Strong Protection setting under Biometrics and security > Other security settings Tap Strong Protection Toggle this setting to ON Follow the on-screen instructions to set a PIN Important! The PIN/Password/Pattern that you set will be required each time you reboot or startup your device. Make sure you do not forget this code! If further assistance is required, please contact IST.

Introduction This article provides an overview of the consent prompt that is displayed when logging in to Canadian Access Federation (CAF) affiliated websites using the UAlberta Login Single-Sign-On service.   Applicability This article applies to any U of A CCID holder that will be logging in to the CAF affiliated websites or resources.   Details The University of Alberta is a member of the Canadian Access Federation (CAF). As a CAF member, a UAlberta CCID account holder may be able to access other CAF affiliated websites using the UAlberta Login Single-Sign-On system and their CCID credentials. When authenticating to a CAF affiliated site with UAlberta Login, a CCID account holder will be presented a prompt that displays what account information will be shared with the site and require the CCID holder’s consent to sharing this data with the site. If consent is not given, the account data will not be shared with the site and access to the site will not be granted. Consent to share this data is required each time a CCID account holder logs in to a CAF affiliated website. As the University of Alberta is no way in control of or affiliated with all CAF affiliated websites, beyond being a CAF member, the consent prompt was added to ensure that UAlberta CCID account holders are aware of the data being shared with these sites. It is the responsibility of the account holder to understand the privacy and security policies of the website they are authenticating to prior to consenting to sharing their data. Some CAF affiliated websites may restrict access to their sites based on a CCID account holder's affiliation to their institution (E.g. some sites may only be accessible to students). Having a UAlberta CCID account does not guarantee access to all CAF affiliated sites. What will you see when logging in to CAF affiliated websites? The screenshot below provides an example of the consent prompt that you may see when logging in to CAF affiliated websites.   The consent prompt includes the following: A description of the consent required which will include the name or URL the website being accessed. Buttons to either agree to or decline sharing this information with the site User Information* Person’s principal name at home organization will appear as YOURCCID@ualberta.ca Display Name will appear as your first name Given Name will appear as your first name Surname will appear as as your last name Mail will appear as YOURCCID@ualberta.ca Affiliation at home organization may include values like Student/Faculty eduPersonTargetedID is a unique value that provides no specific information about you or your account but will be persistent every time you access a particular site. This allows a site to save your preferences without actually retaining any other specific information about you. *This user information is an example of what you may see, but is not inclusive. Other attributes that are not listed in this article may be requested by the website and listed in the consent prompt. If you have any questions regarding this article or it's contents, please contact IST.

Introduction This article will outline all the available attributes from UAlberta Login.   Applicability Anyone configuring a service that will use UAlberta Login for authentication.   Attributes UAlberta Login provides a number of attributes to a Service Provider (SP) when a users access the application. The attributes will only be provided when a user is redirected from the Identity Provider (IdP), UAlberta Login, to the SP they are accessing. Attributes will always be provided using the OID value rather than the friendly name for the attribute. If you would like to use the friendly name for the attribute in your application, you will need to ensure you have an appropriate attribute map so the SP software knows how to rename the OIDs. Default Attributes The default attributes will always be provided unless you request specific attributes to be sent to your SP. Attribute Name OID Example eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10 https://login.ualberta.ca/saml2/idp/metadata.php!https://sp.srv.ualberta.ca/shibboleth! b2661071653f8b9021344ddf17f9e005097edd22 This attribute is a pseudonymous identifier that is specific to each user and SP. givenName urn:oid:2.5.4.42 Jonathan This is the legal first name of the user. If you would rather use preferred name, look at the displayName attribute instead. sn urn:oid:2.5.4.4 Doe This is the legal last name of the user. There is no preferred last name available. uid urn:oid:0.9.2342.19200300.100.1.1 jdoe The Campus Computing ID. Additional Public Attributes These attributes are public data, but aren't provided by default. These attributes can be provided upon request. Attribute Name OID Example displayName urn:oid:2.16.840.1.113730.3.1.241 John Perferred name set in Bear Tracks eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 jdoe@ualberta.ca Scoped version of uid. Always CCID@ualberta.ca mail urn:oid:0.9.2342.19200300.100.1.3 jdoe@ualberta.ca The University provided email address. Always CCID@ualberta.ca Private Attributes These attributes are considered to be private data. If you require any of the following attributes, you must complete an IMS Interface Agreement. Please contact IST at ist@ualberta.ca. Attribute Name OID Example departmentNumber urn:oid:2.16.840.1.113730.3.1.2 000001 List of department numbers eduPersonAfilliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1 member;staff Afilliation to the University (not to be confused with RTI). Possible affiliations are: member, faculty, staff, student. eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 member@ualberta.ca;staff@ualberta.ca Exactly the same as eduPersonAfilliation, but with a scope of @ualberta.ca employeeNumber urn:oid:2.16.840.1.113730.3.1.3 1234567 Unique 7 digit identifier for each person. If the CCID is a department-owned secondary CCID, this will be populated with the departmentNumber the CCID is assigned to. institutionalIdentifier institutionalIdentifier UOFAB Institution of the person organizationalStatus urn:oid:0.9.2342.19200300.100.1.45 tamis;cona A list of statuses on the CCID. There are a number of possible values. uOfAAccountType urn:oid:1.3.6.1.4.1.11933.1.13 primary Indicates if a CCID is primary or secondary. uOfAOCCardID urn:oid:1.3.6.1.4.1.11933.8.3 111234567 ONECard ID uOfAOCProxID urn:oid:1.3.6.1.4.1.11933.8.6 01234 ONECard Prox ID uOfAOCSuffix urn:oid:1.3.6.1.4.1.11933.8.9 01 ONECard suffix uidNumber uidNumber 98765 5 digit unix ID tied to a CCID. Used in systems like AFS. uOfARTI uofarti EMP;SUP List of Relationships to the Institution.