FAQs

General

 

The quickest way to access the IAM Service is to type my.ncedcloud.org into your browser window and go there directly.  If you want to bookmark the IAM Service, see the FAQ on "How Do I Bookmark the IAM Service?"

  TYPE...   

     

Once you see the login screen, enter your Username (State UID number), then click on "Go".  After entering your password at the next screen, type "Go" again, and you'll be logged in to the NCECloud IAM Service (unless you need to enter a One Time Password (OTP) because you're required to use Multi-factor Authentication (MFA).

     

If you Forgot your username, or are Claiming Your Account for the first time, your username is the Pupil Number (for Students) or the 10-digit State Employee UID for teachers and staff. Employee UID numbers should be in the Staff UID system as well as Payroll, so your Finance Department may be able to help you locate it, or anyone with a Help Desk role in the NCEdCloud can look it up. Teachers have the ability to see their students' usernames/UIDs under the "My Students" view in People.

If you see "The request is invalid" message (shown below), it's likely because you either used the "back button" to try to get to the login page, or you "bookmarked" the Login Screen (where you enter your Username) which won't work. 

To get to the IAM Service (to access your applications or change/reset your password for example), go to my.ncedcloud.orgBookmark the page where you see your Applications. Then in the future, when you click on the bookmark you created for the Applications page, it will take you to the Logon page and then transfer you to NCEdCloud. If you try to go directly to the login screen by bookmarking it, the IAM Service won't know where to send you after you login (e.g. the RapidIdentity Portal, PowerSchool, etc.).  That's why you get an error.

 

If you have trouble getting to the NCEdCloud IAM Service "Applications", please follow your local support process for resolving technology issues. If your local support staff cannot resolve your problem, they are authorized to escalate the problem to the Identity Automation Support Community for resolution.

No. As of July 2015 the NCEdCloud IAM Service was integrated with all Home Base applications and is no longer an Opt-In Service (you need to access Home Base / statewide applications through the NCEdCloud portal). The Single Sign-On (SSO) feature of the NCEdCloud IAM Service enables users to log into the portal one time, and then access any of the Home Base applications or any other applications/resources that have been integrated with the IAM Service for your PSU, without needing to login again.

Non- Home Base Target Applications will continue to be opt-in for PSUs, and if you wish to have these integrated with the NCEdCloud for your PSU you can find out what's available on the Target Applications page.

 

 

If you want to BOOKMARK the NCEdCloud IAM Service, DO NOT bookmark the Login Screen where you enter your username and password, but rather the Rapid Identity Applications page (where the application icons are displayed).  Then whenever you want to go to the IAM Service you can click on that bookmark.

Key points to remember for Bookmarking the IAM Service:

 

          .

  Don't Bookmark!                                            BOOKMARK                            

 

There are three main criteria for challenge questions:  

  • 5 of the 10 questions listed must be answered

  • The answers must be 3 or more characters

  • Answers can not be repeated among questions

In addition, the answers are not case-sensitive.

If a question is not answered it will be ignored in the password recovery process. For example, if you initially answer only 5 of the questions then you will be challenged with 2 of those 5 question. If you initially answer 6 questions then you will be challenged with 2 of those 6. You will never be asked a question that you did not answer during setup.

No, the response to a challenge question is not case-sensitive.

The default username for both staff and students is the numeric (up to 10 digits) state UID.  However, we have also implemented an enhancement to allow PSUs to opt-in to using an "Alias ID". This can be the user's email address (staff and/or students), or if the PSU provides a nightly file upload, a "local ID", usually the local username used in Active Directory or another directory.

LEA Administrators interested in using an Alias ID to login should check out the Alias ID page under Opt-In Features. (It's also linked above).

Users (both staff and students) can login to the NCEdCloud IAM Service without an email address in their account data, however, there may be drawbacks.

  1. Some internal messaging (in the IAM Service) requires an email to operate - e.g. forgot my password

  2. Some Target Applications expect to receive an email address when users login.  If it's not present in the source data (e.g. PowerSchool, LINQ HR, HRMS), and therefore not updated in the IAM Service, then the user won't be able to login to the application or some functionality may be limited.

  3. If a PSU wants to opt-in to Alias ID (and use an email address rather than the numeric UID to login), any user without an email address in the IAM Service wouldn't be able to take advantage of that feature.

 

Users are not able to edit their profiles to add/change their email address in the IAM Service. Email address is populated from the nightly source data. Email address for students always comes from their Student System record.  Employee email address is prioritized in the following order: PowerSchool records, LINQ HR, and lastly HRMS.  The nightly data feed uses the first email address it finds for an employee in that specific order.  If a teacher has an email address in PowerSchool AND in HRMS, only the address in PowerSchool will be captured and sent in the nightly updates to NCEdCloud.

It is recommend that PSUs populate email addresses for all their users, as some target applications require the email address for user accounts.  Without having email associated with the provisioned/rostered user account, functionality of those target applications could be significantly impacted.

Unfortunately, we have been having intermittent issues with employee emails not populating NCEdCloud accounts for several years now. While we have been able to repair and improve certain parts of this process, it still is not functioning reliably.

Employee emails entered in the NC SIS (PowerSchool) will populate into NCEdCloud correctly. There are rarely any issues with this process.

Employee emails entered in LINQ or HRMS will not reliably populate NCEdCloud accounts. This data may or may not be populated in its entirety across a PSU, and it may or may not be consistent each day.

Lastly, If the PSU opts in to using Alias ID with email addresses, those users without an email address will only be able to use their UID as their Username when logging into the NCEdCloud IAM Service.

Users who have more than one valid email address (e.g. they have active assignments in two or more PSUs with an email address issued by each PSU), may now see all valid emails in the IAM service. Those users will have the ability to choose a preferred email address from within their Profile settings in my.ncedcloud.org. 

The preferred email address will be the one used by the NCEdCloud IAM Service when populating “email address” for integrated Target Applications. To choose a preferred email address, click on your name at the top right of the page (in the red bar), and click on Profile Settings.  Then click on the red "edit profile" button at the bottom of your settings block.  You will then be able to set your primary email address in the email dropdown. 

preferred email address field
 

Web browser tabs or windows (in Chrome, Edge, Safari, Firefox, etc.) opened in “private” or “incognito” mode, will prevent session information from being shared between other tabs/windows. As a result there is no "memory" of logins done within other tabs, therefore, accessing NCEdCloud IAM applications in a new private tab or window would require another login. 

Private or Incognito mode should be disabled when using your browser for NCEdCloud Target Applications (e.g. PowerSchool, Amplify, Destiny, etc), to take advantage of Single Sign-0n.

 

If your PSU has purchased ADDITIONAL Amplify coverage for students in grades 5-6, you can Submit the Amplify Request Form to add the icon to your PSU for Grades 5 and/or 6.  Once enabled, the icon will be presented to ALL students in the grades selected, as we cannot currently manage school-level icons for the entire state.  Note: This form must be filled out and submitted by a PSU staff member with the "LEA Administrator role" in the NCEdCloud.

 

LEA Administrators and Data Managers in the PSUs have asked: "Which PowerSchool field is matched against the NCEdCloud Username (State UID for employees or students) when a user logs into PowerSchool?" 

The UID number is the unique identifier for NCEdCloud IAM Service accounts, and it is stored within PowerSchool as follows:

  • employees => SIF_StatePrid
  • student => State_studentnumber

 

*Please note that on some screens, SIF_StatePrid may show up as StatePrId (it is the same thing), so 

for employees:  SIF_StatePrid <=> StatePrID <=> UID

*Also note, if you see Student_number on the screen, it is the same number as the state_studentnumber, so 

for students: Student_number <=> state_studentnumber <=> UID

 

The current Home Base SSO process does not include SLO either, not an excuse, just a fact.  To a large extent this is an artifact of the underlying SAML protocol that enables the SSO functionality.  We have talked about the balance between security and incomplete log outs. The IAM Service presents a message to the users reminding them to completely close their browser when logging out:

Reminder to users to close browser when logging out.

User Passwords and Expiration

  • Passwords shall be at a minimum 8 characters in length and no longer than 16 characters.
  • Passwords shall be comprised of at least one of each of the following:
    • Upper case letters
    • Lower case letters
    • Numbers
  • Passwords shall not contain the username alias (the portion of the user’s email address before @yourdomain.com).  
  • Username, first name, last name, spaces cannot be used within the password
  • Passwords shall not begin or end with ! (an exclamation point)
  • Allowed special characters are: @ # $ % ^ & * - _ + = [ ] { } | \ : ’ . ? / ` ~ ” < > ( ) ; !
  • Passwords shall not be shared. No one will ever ask you for your password.
  • Passwords shall be changed at a minimum every 90 days for all in-scope users (employees)
  • If a user suspects any password has been compromised or is known by another individual the user shall immediately change their password and notify their local administration

 

The self-service function of changing a user password is fairly straight forward:

 

Step 1: Log into the NCEdCloud IAM Service, and at the Applications screen click on "Profiles".

Step 2: At the My Employee Profile screen click on the "Change Password" button.

Step 3: Review the Password Policy requirements and Enter your Current Password

Step 4: When you begin typing your "New" password, you will see an error message "Password Does Not Meet Requirements" (in red) displayed at the bottom of the screen.  This is normal until you have fill all the requirements of the password policy (length, case, number).

      

Step 5: Once you have entered a password that meets the Password Policy requirements, the message will change to "Password Meets Requirements" (green).

Step 6: Once you enter a new valid password (green message remains), you will need to Confirm it by retyping the password.  Until you accurately duplicate your new password, the "Change Password" button at the bottom will remain "grayed out".  When you type in an exact match to your new password, the button will become active and you can click on "Change Password" to complete your password change.

    

Step 7: Once you have completed the above screens and clicked on Change Password, you should see the following screen indicating a successful password change:

 


* Error:  If you receive the following message after clicking on change Password, it means that you mistyped your current (old) password in the first box.

 

 

 

Yes, passwords can be changed at any time, but for employees they must be changed at least every ninety (90) days. For students, the password expiration feature may optionally be turned on if the LEA wishes.

Password change notifications will begin ten (10) days prior to a user’s password expiration. Within the 10-day window, each time a user logs into the IAM Service they will receive a pop-up notifying them their password will soon expire and they will be prompted to update their password. Users will continue to receive this notification until the password has been reset. Failure to change your password during this 10-day period will result in the user being prevented from further logins until they complete a password reset, which will be required by the IAM Service the next time the user tries to login.

If you forgot your password, you can reset it using the IAM Service's "Password Reset" functionality:

  1. Go to my.ncedcloud.org
  2. Click the "Password Reset" link
  3. Enter your username and check the "I'm not a robot" box
  4. You'll then be asked to answer some of your challenge questions 
  5. Next you can set a new password, and you're good for another 90 days until it expires
  6. Return to my.ncedcloud.org and proceed with your usual NCEdCloud activities

If the above steps are unsuccessful, please reach out to your school's Technology Support team for assistance with having your password reset.

 

Changing a user password that has expired is fairly straight forward:

Step 1: You attempt to login at the IAM Service RapidIdentity screen as usual.

Step 2: When you click on "Go" you receive a red error message indicating your password is expired.

     

Step 3: At the My Employee Profile screen click on the "Change Password" button.

Step 4: Review the Password Policy requirements and Enter your Current Password

Step 5: When you begin typing your "New" password, you will see an error message "Password Does Not Meet Requirements" (in red) displayed at the bottom of the screen.  This is normal until you have fill all the requirements of the password policy (length, case, number).

       

Step 6: Once you have entered a password that meets the Password Policy requirements, the message will change to "Password Meets Requirements" (green).

Step 7: Once you enter a new valid password (green message remains), you will need to Confirm it by retyping the password.  Until you accurately duplicate your new password, the "Change Password" button at the bottom will remain "grayed out".  When you type in an exact match to your new password, the button will become active and you can click on "Change Password" to complete your password change.

     

Step 8: Once you have completed the above screens and clicked on Change Password, you should see the following screen indicating a successful password change:

 


* Error:  If you receive the following message after clicking on change Password, it means that you mistyped your current (old) password in the first box.

 

 

When a new employee claims their IAM account they will be forced to set an initial password. They will be prompted to change their password beginning 80 days (10-day notice) after they set their initial password.

At this time, students are not required to change their passwords, however, it is a good practice to request they change their passwords at least yearly.  Additionally, LEA Administrators have the ability to regenerate the DEFAULT passwords of students for their entire PSU, by School (Campus Code), or by Grade (for the entire PSU or within a School).  See the Regeneration of Student Default Passwords page.

The workflow Request that changes the Default Password also has the ability to Optionally change the students' login password to the new value, and also force students to change their passwords when they first log in.

All users (both employees and students) have a default password that is randomly generated for that specific user when their account is created.  However, employees (and potentially secondary students) won't actually use their default password as they will set a new password when they claim their account.

For secondary students (grade 6 and higher) the PSU may optionally have those students claim their own accounts, OR the teachers may directly distribute the student usernames (pupil numbers) and default passwords.  To claim their own account, a secondary student would need their pupil number, grade, birthday in YYYYMMDD format, and the LEA code of their PSU.  When they start the process, they will be asked to chose and set their password. To complete the account claiming process (or during their first login if the account is not claimed), a secondary student will need to answer at least 5 challenge response questions. (See: Student Account Claiming).

For primary student accounts (grades 5 and below) the PSU has the option to use Badges (QR Code login) or Pictographs - see NCEdCloud Badges and Logins for PK-5 Students.  Otherwise, teachers will need to directly distribute the student usernames (pupil numbers) and default passwords. There is no claim account process (or challenge questions) for K-5 students.

 

Password history (whether you have previously used a password), follows the North Carolina state DIT policy for password "reuse". Currently, you may not use a password that has been used in the previous 24 password changes.

Student passwords can be changed or reset by the student, their teachers, and by anyone with an LEA Administrator, Help Desk, or Student Help Desk role. (See the Teachers page for how to change passwords within the My Students view).

Employee passwords can be changed or reset by the employee, or anyone with the LEA Administrator or Help Desk role.  Staff with a Student Help Desk role do not have access to staff accounts.

Additionally, staff with "School" Help Desk roles can only change passwords for users in the same school (students and/or staff).

LEA Administrators have the ability to regenerate the DEFAULT passwords for their students:

  • for the entire PSU
  • by School (Campus Code), or
  • by Grade
    • for the entire PSU or
    • within a single School

See Regeneration of Student Default Passwords.

The workflow Request that changes the Default Password also has the ability to Optionally change the students' login password to the new value, and also force students to change their passwords when they first log in.