This document is intended for employees and addresses some of the most frequently asked questions and scenarios.
How Do I Login to the IAM Service?
The quickest way to access the IAM Service is to type my.ncedcloud.org into your browser window and go there directly.
How Do I BOOKMARK the IAM Service in my Browser?
If you want to BOOKMARK the NCEdCloud IAM Service, DO NOT bookmark the Login Screen where you enter your username and password, but rather the Rapid Identity Applications page (where the application icons are displayed). Then whenever you want to go to the IAM Service you can click on that bookmark.
.png) Don’t Bookmark | .png) Bookmark |
Why do I get an Error Message when I try to Logon?
If you see "The request is invalid" message (shown below), it's likely because you either used the "back button" to try to get to the login page, or you "bookmarked" the Login Screen (where you enter your Username) which won't work.
To get to the IAM Service (to access your applications or change/reset your password for example), go to my.ncedcloud.org. Bookmark the page where you see your Applications. Then in the future, when you click on the bookmark you created for the Applications page, it will take you to the Logon page and then transfer you to NCEdCloud. If you try to go directly to the login screen by bookmarking it, the IAM Service won't know where to send you after you login (e.g. the RapidIdentity Portal, PowerSchool, etc.). That's why you get an error.
.png)
Who do I call if I have issues logging in?
If you have trouble getting to the NCEdCloud IAM Service "Applications", please follow your local support process for resolving technology issues. If your local support staff cannot resolve your problem, they are authorized to escalate the problem to the Identity Automation Support Community for resolution.
Is the IAM Service Opt-In?
No. As of July 2015 the NCEdCloud IAM Service was integrated with all NCED Connect applications and is no longer an Opt-In Service (you need to access NCED Connect / statewide applications through the NCEdCloud portal). The Single Sign-On (SSO) feature of the NCEdCloud IAM Service enables users to log into the portal one time, and then access any of the NCED Connect applications or any other applications/resources that have been integrated with the IAM Service for your PSU, without needing to login again.
What are the criteria for setting up Challenge Questions?
There are three main criteria for challenge questions:
5 of the 10 questions listed must be answered
The answers must be 3 or more characters
Answers can not be repeated among questions
In addition, the answers are not case-sensitive.
If a question is not answered it will be ignored in the password recovery process. For example, if you initially answer only 5 of the questions then you will be challenged with 2 of those 5 question. If you initially answer 6 questions then you will be challenged with 2 of those 6. You will never be asked a question that you did not answer during setup.
Are answers to challenge/response questions case-sensitive?
No, the response to a challenge question is not case-sensitive.
Can an email address be used to login?
By default, usernames for staff and students are the numeric state UID (up to 10 digits) or email address, unless your PSU has opted out of email addresses.
Can users change their email address in their NCEdCloud account?
Please reach out to your local district’s IT team for help with changing your email address.
How do I select my preferred email address?
Users who have more than one valid email address (e.g. they have active assignments in two or more PSUs with an email address issued by each PSU), may now see all valid emails in the IAM service. Those users will have the ability to choose a preferred email address from within their Profile settings in my.ncedcloud.org.
The preferred email address will be the one used by the NCEdCloud IAM Service when populating “email address” for integrated Target Applications. To choose a preferred email address, click on your name at the top right of the page (in the red bar), and click on Profile Settings. Then click on the red "edit profile" button at the bottom of your settings block. You will then be able to set your primary email address in the email dropdown.
.png)
Sometimes Single Sign-On (SSO) doesn't work, and I'm asked to logon to each application. Why is that?
Web browser tabs or windows (in Chrome, Edge, Safari, Firefox, etc.) opened in “private” or “incognito” mode, will prevent session information from being shared between other tabs/windows. As a result there is no "memory" of logins done within other tabs, therefore, accessing NCEdCloud IAM applications in a new private tab or window would require another login.
Private or Incognito mode should be disabled when using your browser for NCEdCloud Target Applications (e.g. PowerSchool, Amplify, Destiny, etc), to take advantage of Single Sign-0n.
Is Single Logout (SLO) enabled with the IAM Service?
NCED Connect SSO does not currently support Single Logout (SLO). This is largely due to limitations in the underlying SAML protocol that enables SSO functionality. Because a complete logout requires closing the browser entirely, the IAM Service displays a reminder message to users prompting them to do so when logging out.
.png)
What are the password requirements (characters required/excluded)?
Passwords shall be at a minimum 8 characters in length and no longer than 16 characters.
Passwords shall be comprised of at least one of each of the following:
Upper case letters
Lower case letters
Numbers
Passwords shall not contain the username alias (the portion of the user’s email address before @yourdomain.com).
Username, first name, last name, spaces cannot be used within the password
Passwords shall not begin or end with ! (an exclamation point)
Allowed special characters are: @ # $ % ^ & * - _ + = [ ] { } | \ : ’ . ? / ` ~ ” < > ( ) ; !
Passwords shall not be shared. No one will ever ask you for your password.
Passwords shall be changed at a minimum every 90 days for all in-scope users (employees)
If a user suspects any password has been compromised or is known by another individual the user shall immediately change their password and notify their local administration
How do I change my password in the IAM Service?
Users can change their own password by selecting "Change Password" from the User Profile menu in the top right corner after logging in.
.png)
Review the Password Policy requirements and Enter your Current Password. When you begin typing your "New" password, you will see an error message "Password Does Not Meet Requirements" (in red) displayed at the bottom of the screen. This is normal until you have fill all the requirements of the password policy (length, case, number).
.png)
Once you have entered a password that meets the Password Policy requirements, all of the requirements under “Your new password MUST be:” will turn green. You can now click save and your password is now updated.
.png)
Note: Please do not use password manager extensions to autofill the password, as this may cause issues when setting the new password. Manually type your current and new passwords in the respective fields.
May I change my password at any time?
Yes, passwords can be changed at any time, but for employees they must be changed at least every ninety (90) days. For students, the password expiration feature may optionally be turned on if the LEA wishes.
Will I be notified that my password is about to expire?
Password change notifications will begin ten (10) days prior to a user’s password expiration. Within the 10-day window, each time a user logs into the IAM Service they will receive a pop-up notifying them their password will soon expire and they will be prompted to update their password. Users will continue to receive this notification until the password has been reset. Failure to change your password during this 10-day period will result in the user being prevented from further logins until they complete a password reset, which will be required by the IAM Service the next time the user tries to login.
What should I do if I forgot my password?
If you forgot your password, you can reset it using the IAM Service's "Password Reset" functionality:
Go to my.ncedcloud.org
Click the "Password Reset" link
Enter your username and check the "I'm not a robot" box
You'll then be asked to answer some of your challenge questions
Next you can set a new password, and you're good for another 90 days until it expires
Return to my.ncedcloud.org and proceed with your usual NCEdCloud activities
If the above steps are unsuccessful, please reach out to your school's Technology Support team for assistance with having your password reset.
How do I change my password if it's already EXPIRED?
You will be prompted to change your password on your next login if your password has already expired.
When do new employees change their passwords?
When a new employee claims their IAM account they will be forced to set an initial password. They will be prompted to change their password beginning 80 days (10-day notice) after they set their initial password.
Are students forced to change their passwords?
At this time, students are not required to change their passwords, however, it is a good practice to request they change their passwords at least yearly. Additionally, LEA Administrators have the ability to regenerate the DEFAULT passwords of students for a single user, their entire PSU, by School (Campus Code), or by Grade (for the entire PSU or within a School). Please reach out to your local district “LEA Administrator” or IT team for assistance with regenerating new Student default passwords.
Are user passwords assigned or can I choose my own?
All users (both employees and students) have a default password that is randomly generated for that specific user when their account is created. However, employees (and potentially secondary students) won't actually use their default password as they will set a new password when they claim their account.
For secondary students (grade 6 and higher) the PSU may optionally have those students claim their own accounts, OR the teachers may directly distribute the student usernames (pupil numbers) and default passwords. To claim their own account, a secondary student would need their pupil number, grade, birthday in YYYYMMDD format, and the LEA code of their PSU. When they start the process, they will be asked to chose and set their password. To complete the account claiming process (or during their first login if the account is not claimed), a secondary student will need to answer at least 5 challenge response questions. (See: Students: How do I claim my account?).
For primary student accounts (grades 5 and below) the PSU has the option to use Badges (QR Code login) or Pictographs - see NCEdCloud Badges and Logins for PK-5 Students. Otherwise, teachers will need to directly distribute the student usernames (pupil numbers) and default passwords. There is no claim account process (or challenge questions) for K-5 students.
Can passwords be reused?
Password history (whether you have previously used a password), follows the North Carolina state DIT policy for password "reuse". Currently, you may not use a password that has been used in the previous 24 password changes.
Who can change user passwords?
Student passwords can be changed or reset by the student, their teachers, and by anyone with an LEA Administrator, Help Desk, or Student Help Desk role. (See the Teachers page for how to change passwords within the My Students view).
Employee passwords can be changed or reset by the employee, or anyone with the LEA Administrator or Help Desk role. Staff with a Student Help Desk role do not have access to staff accounts.
Additionally, staff with "School" Help Desk roles can only change passwords for users in the same school (students and/or staff).
Where can I find additional information on MFA(Multi-Factor Authentication)?
Additional information on MFA can be found by clicking HERE