Information Technology Services Centre - Centralized Authentication and Directory Service (CADS)
  • Submit
  • Centralized Authentication and Directory Service (CADS)

    The Central Authentication Directory Service (CADS) provides departments a solution of identity authentication & authorization that system administrators can conveniently manage the access control of their systems.

    Integrated with CADS, an information system can connect to university central user database, which is established and real-time updated, and enable user identity authentication and authorization functions for log-in requests. The CADS provides a unified access control for campus-wide information systems to ease the effort for system admin of creating and managing user accounts and access rules.

     

    Available to
    Departments

     

    Service Charge and Application
    Free; application required (Please refer to tab 4 CADS Application Procedures and Guidelines here)

     

    Service Availability
    24 X 7

     

    Access to Service
    Please see the list of Registered IT System under CADS (via CUHK VPN / Campus Network)

     

    dummy image
    1. Definitions

    Terms Description

    Central Authentication and Directory Service (CADS)

    The service defined in this document. It includes the provision of user authentication and directory service through

    • CWEM computer account (computing ID and CWEM password) or
    • Staff/Student ID and CWEM password
    • CWEM computing ID only (in Local Authentication Mode)

    Local Authentication Mode

    This refers to the authentication mode that makes use of CWEM computer account but not CWEM password. This kind of system has its own password being maintained by the IT System Owners (i.e. departments and units). User passwords are being maintained locally at user department’s server.

    IT Systems

    Include both in-house developed IT applications and systems in the University.

    Lightweight Directory Access Protocol (LDAP)

    The CUHK Directory Service provides a campus-wide centralized database that contains information about students, staff, faculty and other units of the University. This service is supported by LDAP (Lightweight Directory Access Protocol). ITSC LDAP server is an authoritative source for storing university data including staff/student IDs, Computing IDs, e-mail address and other derived attributes. LDAP is used to support the Central Authentication and Directory Service. If the application for CADS is approved, ITSC will provide the IT System Owner a mechanism to interface with the LDAP server for user authentication via CWEW computer account.

    CWEM Computer Account (CWEM Computing ID and Password)

    The CWEM Computer Account is the computing ID used in the Central Authentication and Directory Service. The associated password is the CWEM Password. It is a unique login identifier for each person in the CUHK computing community.

     

    dummy image
    1. Policy Statement

    The central authentication infrastructure built by ITSC provides a unified, secure and integrated method for verifying the electronic identity of all persons in the university community. It is an essential IT security enabler for campus-wide services, systems and applications.

    By possession of a CUHK Staff or Student ID, a student or staff, is not implicitly, granted an access to information or services. Their eligibility of an access right to information or services depends on their role or status (staff/retiree, student/alumni) with the University. Unit heads, or their service owners, are responsible for establishing the access policies for their services. They have to decide the access policies before applying for the Central Authentication and Directory Service supported by the central authentication infrastructure of ITSC.

    Use of OnePass (CWEM) computing account or OnePass (CWEM) password for authentication is strictly prohibited without prior application to ITSC. ITSC would approve application for CADS only if the IT System owner can compile to the guidelines as specified in tab 4 CADS Application Procedures and Guidelines here. ITSC will terminate the system from the use of CADS at anytime if ITSC finds any violation to terms in this policy document.

     

    dummy image
    1. Responsibility

    A. Responsibility of an Individual
    1. Any person who is issued a CWEM computing account must read and agree to a set of responsibilities set forth in Computer Network - Policies & Guidelines on Access and Usage in particular.

      4.1   

      To enable the ITSC staff to accurately maintain information about his/her by supplying current information including department affiliation, degree program (undergraduate or graduate), and the University position (faculty, staff, graduate staff, or student).

      4.2

      Not to provide false or misleading information .

      4.3 

      To be responsible for any and all activities initiated by his or her account.

      4.4   

      To be responsible for selecting a secure password for their account and for keeping that password secret at all times. Passwords should not be written down, stored on-line, or given to others. Passwords should never be given out to someone claiming to be an ITSC staff member; authorized ITSC staff members do not need to know individual user's password.

    2. Many online applications now require one’s CWEM password for authentication. In order to protect one’s interests, one should observe the guidelines for setting a strong password.

    3. If users have discovered that there are vulnerabilities in accessing any one of authorized information systems, they should inform the ITSC. The ITSC will work with the concerned information system owner to implement remedy solutions. If the information system owner refuses to implement remedy solutions, the ITSC has the right to stop the computer account access from the responsible information system.

    4. Should one suspects that his or her password has been compromised, he or she should change it immediately online at http://cai.itsc.cuhk.edu.hk/chgpwd and report the incident as documented.

     

    B. Responsibility of ITSC
    1. As the owner of the CWEM computer accounts, the ITSC will act with prudence, diligence and due care to protect the data.

    2. Unauthorized access, collection, disclosure, modification or processing of the computer account information will be forbidden or blocked by ITSC without prior notice.

     

    C. Responsibility of IT System Owner
    To use the Central Authentication and Directory Service (CADS), the IT System Owner is responsible for:
    1. Making sure that basic security measures have been implemented in their information systems that are going to connect to CADS.

    2. Providing basic security measures include, but not limited to, the following settings: encrypt all data transmitted between the information system and CADS system, control the number of password trials, forbid any forms of password storage even temporarily, etc. More suggestions on security measures could be located in http://www.itsc.cuhk.edu.hk/en-gb/user-trainings/information-security-best-practices.

    3. Allowing the ITSC to enlist information of their information systems in CADS-registered IT systems (via CUHK VPN / campus network).

    4. Informing the authorized users of their system that the use of their computer account information for authentication has been authorized by the ITSC.

    5. Compiling to The Personal Data (Privacy) Ordinance when handling user data. Personal Information Collection (PIC) Statements must be published at an eye-catching area of the information system notifying the users the purpose(s) of collecting and using their computer account information.

    6. Maintaining a channel for their users for enquiring their policies on using personal data. A link to ITSC Service Desk (http://servicedesk.itsc.cuhk.edu.hk) for users to report any improper use of the CWEM computer account information must be placed at the information system.

    7. Using the user authentication mechanism provided by ITSC on the designated IT System only. 

    8. Using OnePass as the IT System landing page for OnePass enabled applications.

    9. Enforcing authorization on the IT system as CADS is for authentication or passing some attributes.

    10. Informing ITSC about the change of their IP address.

    11. Regarding systems or mobile apps developed by outsourcing vendors. 

    12. The departments/colleges/faculties should get the source code especially corresponding coding for authentication.

    13. The systems or mobile apps must subsequently maintain by a full-time CUHK IT staff.

    14. A Non-Disclosure Agreement (NDA) policy (via CUHK VPN / campus network) has been set and a NDA form must be signed.

     

    dummy image
    1. CADS Application Procedures and Guidelines

    1. Application to the use of CADS shall be submitted by the IT System Owner. The IT System Owner shall complete the CADS application form and submit it to ITSC
      • at the planning stage of the information system development; and
      • at least one month in advance before the production date of the system
    2. A CADS application must be endorsed by Department / Unit Head and is subject to annual renewal. 
    3. On applying the service, the IT System Owner must be responsible for its system security and take the responsibility as specified in Part C of tab 3 Responsibility here. 
    4. CADS will only serve systems that are connected to the campus network. 
    5. The IT system must have strong physical security protection where access is limited to authorized personnel. ITSC may conduct onsite checking on the compliance of physical security.
    6. The IT system enabled with secure web communication (https) must be installed with a digital certificate which is default entrusted by popular Internet browsers including IE, Firefox, Safari, etc. 
    7. Administration of the IT system must be performed by a qualified or a dedicated IT staff. 
    8. The IT System will be reviewed by ITSC and have to pass the ITSC Vulnerability Assessment Test.
    9. The System Owner must provide ITSC with proper system documentation. 
    10. After the CADS is approved by ITSC, the System Owner are encouraged to include the following on its web page.
      1. CADS logo:
        CADS logo
      2. CADS reference number (via CUHK VPN / campus network)
      3. the message "This is a CADS-registered IT System. It passed the application procedures published at http://www.itsc.cuhk.edu.hk/en-gb/all-it/information-security/centralized-authentication-and-directory-service and was approved by ITSC.".
      4. For mobile apps
        • ITSC will publish passed assessment Mobile Apps to corresponding Apps Store with Publisher ID “The Chinese University of Hong Kong”.
          iOS : Apple Apps Stores
          Android : Google Play
        • (Advisory) For Mobile Apps development, a webpage should be created to list out supported Mobile platforms and shown proper installation steps for each mobile platform in order to get user awareness not to download phishing Apps from unknown Apps stores.