FAQs | NCEdCloud IAM Service


How Do I Login to the IAM Service?

Thequickest wayto access the IAM Service is to typemy.ncedcloud.orginto your browser window and go there directly. If you want to bookmark the IAM Service, see the FAQ on "How Do I Bookmark the IAM Service?"


FAQs | NCEdCloud IAM Service (1)

Once you see the login screen, enter your Username (State UID number), then click on "Go". After entering your password at the next screen, type "Go" again, and you'll be logged in to the NCECloud IAM Service (unless you need to enter a One Time Password (OTP) because you're required to use Multi-factor Authentication (MFA).

How do I find out my Username?

If you Forgot your username, or are Claiming Your Account for the first time, your username is the Pupil Number (for Students) or the 10-digit State Employee UID for teachers and staff.Employee UID numbers should be in the Staff UID system as well as Payroll, so your Finance Departmentmay be able to help you locate it, or anyone with a Help Desk role in the NCEdCloud can look it up. Teachers have the ability to see their students' usernames/UIDs under the "My Students" view in People.

Why do I get an Error Message when I try to Logon?

If you see "Therequest is invalid" message (shown below), it's likely because you either used the "back button" to try to get to the login page, or you "bookmarked" the Login Screen (where you enter your Username) which won't work.

To get tothe IAM Service (to access your applications or change/reset your password for example), go to my.ncedcloud.org. Bookmark the page where you see your Applications.Then in the future, when you click on the bookmark you created for the Applications page, it will take you to the Logon page and then transferyou to NCEdCloud.If you try to go directly to the login screen by bookmarking it, the IAM Service won't know where to send you after you login (e.g. the RapidIdentity Portal, PowerSchool, etc.). That's why you get an error.

FAQs | NCEdCloud IAM Service (2)

Who do I call if I have issues logging in?

If you have trouble getting to the NCEdCloud IAM Service "Applications", please follow your local support process for resolving technology issues.If your local support staff cannot resolve your problem, they are authorized to escalate the problem to the Identity Automation Support Communityfor resolution.

Is the IAM Service Opt-In?

No. As of July 2015 the NCEdCloud IAM Service was integrated with all Home Base applications and is no longer anOpt-In Service (you need to access Home Base / statewide applications through the NCEdCloud portal).The Single Sign-On (SSO) feature of the NCEdCloud IAM Service enablesusers to log into the portal one time, and then access any of the Home Base applications or any other applications/resources that have been integrated with the IAM Service for your PSU, without needing to login again.

Non- Home Base Target Applications will continue to be opt-in for PSUs, and if you wish to have these integrated with the NCEdCloud for your PSU you can find out what's available on the Target Applications page.

How Do I BOOKMARK the IAM Service in my Browser?

If you want to BOOKMARK the NCEdCloud IAM Service, DO NOT bookmark the Login Screen where you enter your username and password, but rather the Rapid Identity Applications page (where the application icons are displayed). Thenwhenever you want to go to the IAM Service you can click on that bookmark.

Key points to remember for Bookmarking the IAM Service:

FAQs | NCEdCloud IAM Service (3) FAQs | NCEdCloud IAM Service (4).

Don't Bookmark! BOOKMARK

What are the criteria for setting up Challenge Questions?

There are three main criteria for challenge questions:

  • 5 of the 10 questions listed must be answered

  • The answers must be 3 or more characters

  • Answers can not be repeated among questions

In addition, the answers are not case-sensitive.

If a question is not answered it will be ignored in the password recovery process. For example, if you initially answer only 5 of the questions then you will be challenged with 2 of those 5 question. If you initially answer 6 questions then you will be challenged with 2 of those 6. You will never be asked a question that you did not answer during setup.

Are answers to challenge/response questions case-sensitive?

No, the response to a challenge question isnotcase-sensitive.

Can an email address be used to login?

The default username for both staff and students is the numeric (up to 10 digits) state UID. However, we have also implemented an enhancement to allow PSUs to opt-in to using an "Alias ID". This can be the user's email address (staff and/or students), or if the PSU provides a nightly file upload, a "local ID", usually the local username used in Active Directory or another directory.

LEA Administrators interested in using an Alias ID to login should check out the Alias ID page under Opt-In Features. (It's also linked above).

Is email address required in the IAM Service for employees and students?

Users (both staff and students) can login to the NCEdCloud IAM Service without an email address in their account data, however, there may be drawbacks.

  1. Some internal messaging (in the IAM Service) requires an email to operate - e.g. forgot my password

  2. Some Target Applications expect to receive an email address when users login. If it's not present in the source data (e.g. PowerSchool, LINQ HR, HRMS), and therefore not updated in the IAM Service, then the user won't be able to login to the application or some functionality may be limited.

  3. If a PSU wants to opt-in to Alias ID (and use an email address rather than the numeric UID to login), any user without an email address in the IAM Service wouldn't be able to take advantage of that feature.

Can users change their email address in their NCEdCloud account?

Users are not able to edit their profiles to add/change their email address in the IAM Service. Email address is populated from the nightly source data. Email address for students always comes from their Student System record. Employee email address is prioritized in the following order: PowerSchool records, LINQ HR, and lastly HRMS. The nightly data feed uses the first email address it finds for an employee in that specific order. If a teacher has an email address in PowerSchool AND in HRMS, only the address in PowerSchool will be captured and sent in the nightly updates to NCEdCloud.

It is recommend that PSUs populate email addresses for all their users,as some target applications require the email address for user accounts. Without having email associated with the provisioned/rostered user account, functionality of those target applications could be significantly impacted.

Unfortunately, we have been having intermittent issues with employee emails not populating NCEdCloud accounts for several years now. While we have been able to repair and improve certain parts of this process, it still is not functioning reliably.

Employee emails entered in the NC SIS (PowerSchool) will populate into NCEdCloud correctly. There are rarely any issues with this process.

Employee emails entered in LINQ or HRMS will not reliably populate NCEdCloud accounts. This data may or may not be populated in its entirety across a PSU, and it may or may not be consistent each day.

Lastly, If the PSU opts in to using Alias ID with email addresses, those users without an email address will only be able to use their UID as their Username when logging into the NCEdCloud IAM Service.

How do I select my preferred email address?

Users who have more than one valid email address (e.g. they have active assignments in two or more PSUs with an email address issued by each PSU), may now see all valid emails in the IAM service. Those users will have the ability to choose a preferred email address from within their Profile settings in my.ncedcloud.org.

The preferred email address will be the one used by the NCEdCloud IAM Service when populating “email address” for integrated Target Applications. To choose a preferred email address, click on your name at the top right of the page (in the red bar), and click on Profile Settings. Then click on the red "edit profile" button at the bottom of your settings block. You will then be able to set your primary email address in the email dropdown.

FAQs | NCEdCloud IAM Service (5)

Sometimes Single Sign-On (SSO) doesn't work, and I'm asked to logon to each application. Why is that?

Web browser tabs or windows (in Chrome, Edge, Safari, Firefox, etc.) opened in “private” or “incognito” mode, will prevent session information from being shared between other tabs/windows. As a result there is no "memory" of logins done within other tabs, therefore, accessing NCEdCloud IAM applications in a new private tab or window would require another login.

Private or Incognito mode should be disabled when using your browser for NCEdCloud Target Applications (e.g. PowerSchool, Amplify, Destiny, etc), to take advantage of Single Sign-0n.

How does my PSU add Grades 5/6 to the Amplify icon

If your PSUhas purchased ADDITIONAL Amplify coveragefor students in grades 5-6, you canSubmit the Amplify Request Formto add the icon to your PSU for Grades 5 and/or 6. Once enabled, the icon will be presented to ALL students in the grades selected, as we cannot currently manage school-level icons for the entire state. Note: This form must be filled out and submitted by a PSU staff member with the"LEA Administrator role" in the NCEdCloud.

What is the linking field between IAM Service accounts and PowerSchool?

LEA Administrators and Data Managers in the PSUs have asked: "Which PowerSchool field is matched against the NCEdCloud Username (State UID for employees or students) when a user logs into PowerSchool?"

The UID number is the unique identifier for NCEdCloud IAM Service accounts, and it is stored within PowerSchool as follows:

  • employees => SIF_StatePrid
  • student => State_studentnumber

*Please note that on some screens, SIF_StatePrid may show up as StatePrId (it is the same thing), so

for employees: SIF_StatePrid <=> StatePrID <=> UID

*Also note, if you see Student_number on the screen, it is the same number as the state_studentnumber, so

for students: Student_number <=>state_studentnumber <=> UID

Is Single Logout (SLO) enabled with the IAM Service?

The current Home Base SSO process does not include SLO either, not an excuse, just a fact. To a large extent this is an artifact of the underlying SAML protocol that enables the SSO functionality. We have talked about the balance between security and incomplete log outs. The IAM Service presents a message to the users remindingthem to completely close their browser when logging out:

FAQs | NCEdCloud IAM Service (6)

User Passwords and Expiration

What are the password requirements (characters required/excluded)?

  • Passwords shall be at a minimum 8 characters in length and no longer than 16 characters.
  • Passwords shall be comprised of at least one of each of the following:
    • Upper case letters
    • Lower case letters
    • Numbers
  • Passwords shall not contain the username alias (the portion of the user’s email address before @yourdomain.com).
  • Username, first name, last name, spaces cannot be used within the password
  • Passwords shall not begin or end with ! (an exclamation point)
  • Allowed special charactersare: @ # $ % ^ & * - _ + = [ ] { } | \ : ’ . ? / ` ~ ” < > ( ) ; !
  • Passwords shall not be shared. No one will ever ask you for your password.
  • Passwords shall be changed at a minimum every 90 days for all in-scope users (employees)
  • If a user suspects any password has been compromised or is known by another individual the user shall immediately change their password and notify their local administration

How do I change my password in the IAM Service?

The self-service function of changing a user password is fairly straight forward:

Step 1:Log into the NCEdCloud IAM Service, and at the Applications screen click on "Profiles".

FAQs | NCEdCloud IAM Service (7)

Step 2:At the My Employee Profile screen click on the "Change Password" button.

FAQs | NCEdCloud IAM Service (8)

Step 3:Review the Password Policy requirements andEnter your Current Password

Step 4:When you begin typing your "New" password, you will see an error message "Password Does Not Meet Requirements" (in red) displayed at the bottom of the screen. This is normal until you have fill all the requirements of the password policy (length, case, number).

FAQs | NCEdCloud IAM Service (9) FAQs | NCEdCloud IAM Service (10)

Step 5:Once you have entered a password that meets the Password Policy requirements, the message will change to "Password Meets Requirements" (green).

FAQs | NCEdCloud IAM Service (11)

Step 6:Once you enter a new valid password (green message remains), you will need to Confirm it by retyping the password. Until you accurately duplicate your new password, the "Change Password" button at the bottom will remain "grayed out". When you type in an exact match to your new password, the button will become active and you can click on"Change Password"to complete your password change.

FAQs | NCEdCloud IAM Service (12) FAQs | NCEdCloud IAM Service (13)

Step 7:Once you have completed the above screens and clicked on Change Password, you should see the following screen indicating a successful password change:

FAQs | NCEdCloud IAM Service (14)

* Error: If you receive the following message after clicking on change Password, it means that you mistyped your current (old) password in the first box.

FAQs | NCEdCloud IAM Service (15)

May I change my password at any time?

Yes, passwords can be changed at any time, but for employeestheymust be changed at least every ninety (90) days. For students, the password expiration feature mayoptionally be turned on if the LEA wishes.

Will I be notified that my password is about to expire?

Password change notifications will begin ten (10) days prior to a user’s password expiration. Within the 10-day window, each time a user logs into the IAM Service they will receive a pop-upnotifying them their password will soon expire and they will be prompted to update their password. Users will continue to receive this notification until the password has been reset.Failure to change your password during this 10-day period will result in the user being prevented from further logins until they complete a password reset, which will be required by the IAM Service the next time the user tries to login.

What should I do if I forgot my password?

If you forgot your password, you can reset it using the IAM Service's "Password Reset" functionality:

  1. Go to my.ncedcloud.org
  2. Click the "Password Reset" link
  3. Enter your username and check the "I'm not a robot" box
  4. You'll then be asked to answer some of your challenge questions
  5. Next you can set a new password, and you're good for another 90 days until it expires
  6. Return to my.ncedcloud.org and proceed with your usual NCEdCloud activities

If the above steps are unsuccessful, please reach out to your school's TechnologySupport team for assistance with having your password reset.

How do I change my password if it's already EXPIRED? **

Changing a user password that has expiredis fairly straight forward:

Step 1:You attempt to login at the IAM Service RapidIdentity screen as usual.

Step 2:When you click on "Go" you receive a red error message indicating your password is expired.

FAQs | NCEdCloud IAM Service (16) FAQs | NCEdCloud IAM Service (17)

Step 3:At the My Employee Profile screen click on the "Change Password" button.

FAQs | NCEdCloud IAM Service (18)

Step 4:Review the Password Policy requirements andEnter your Current Password

Step 5:When you begin typing your "New" password, you will see an error message "Password Does Not Meet Requirements" (in red) displayed at the bottom of the screen. This is normal until you have fill all the requirements of the password policy (length, case, number).

FAQs | NCEdCloud IAM Service (19) FAQs | NCEdCloud IAM Service (20)

Step 6:Once you have entered a password that meets the Password Policy requirements, the message will change to "Password Meets Requirements" (green).

FAQs | NCEdCloud IAM Service (21)

Step 7:Once you enter a new valid password (green message remains), you will need to Confirm it by retyping the password. Until you accurately duplicate your new password, the "Change Password" button at the bottom will remain "grayed out". When you type in an exact match to your new password, the button will become active and you can click on"Change Password"to complete your password change.

FAQs | NCEdCloud IAM Service (22) FAQs | NCEdCloud IAM Service (23)

Step 8:Once you have completed the above screens and clicked on Change Password, you should see the following screen indicating a successful password change:

FAQs | NCEdCloud IAM Service (24)

* Error: If you receive the following message after clicking on change Password, it means that you mistyped your current (old) password in the first box.

FAQs | NCEdCloud IAM Service (25)

When do new employees change their passwords?

When a new employee claims their IAM account they will be forced to set an initialpassword. They will be prompted to change their passwordbeginning 80 days (10-day notice) after they set their initial password.

Are students forced to change their passwords?

At this time, students are not required to change their passwords, however, it is a good practice to request they change their passwords at least yearly. Additionally, LEA Administrators have the ability to regenerate the DEFAULT passwords of students for their entire PSU, by School (Campus Code), or by Grade (for the entire PSU or within a School). See the Regeneration of Student Default Passwords page.

The workflow Request that changes the Default Password also has the ability to Optionally change the students' login password to the new value, and also force students to change their passwords when they first log in.

Are user passwords assigned or can I choose my own?

All users (both employees and students) havea default password that is randomly generated for that specific user when their account is created. However, employees (and potentially secondary students)won't actually use their default passwordas they will set a new passwordwhen they claim their account.

For secondarystudents (grade 6 and higher) thePSU may optionally have those students claim their own accounts,ORtheteachers may directly distribute the student usernames (pupil numbers) and default passwords. To claim their own account, a secondary student would need their pupil number, grade, birthday in YYYYMMDD format, and the LEA code of their PSU. When they start the process, they will be asked to chose and set their password. To complete the account claiming process (or during their firstlogin if the account is not claimed),a secondary studentwillneed to answerat least 5 challenge response questions. (See:Student Account Claiming).

Forprimarystudent accounts (grades 5 and below) the PSU has the option to use Badges (QR Code login) or Pictographs - see NCEdCloud Badges and Logins for PK-5 Students. Otherwise,teachers willneed todirectly distribute the student usernames (pupil numbers) and default passwords.There is no claim account process (or challenge questions) forK-5 students.

Can passwords be reused?

Password history (whether you have previously used a password), follows the North Carolina state DIT policy for password "reuse". Currently, you may not use a password that has been used in the previous 24 password changes.

Who can change user passwords?

Student passwords can be changed or reset by the student, their teachers, and by anyone with an LEA Administrator, Help Desk, or Student Help Desk role. (See the Teachers page for how to change passwords within the My Students view).

Employee passwords can be changed or reset by the employee, or anyone with the LEA Administrator or Help Desk role. Staff with a Student Help Desk role do not have access to staff accounts.

Additionally, staff with "School" Help Desk roles can only change passwords for users in the same school (students and/or staff).

Can the Default Password for students be changed?

LEA Administrators have the ability to regenerate the DEFAULT passwords for their students:

  • for the entire PSU
  • by School (Campus Code), or
  • by Grade
    • for the entire PSU or
    • within a single School

See Regeneration of Student Default Passwords.

The workflow Request that changes the Default Password also has the ability to Optionally change the students' login password to the new value, and also force students to change their passwords when they first log in.

