The Central Authentication and Directory Service (CADS) provides departments a solution of identity authentication & authorization that system administrators can conveniently manage the access control of their systems. Authentication will be done through ADFS (recommended for web applications) or LDAP.
Integrated with CADS, an information system can connect to university central user database, which is established and real-time updated, and enable user identity authentication and authorization functions for log-in requests. The CADS provides a unified access control for campus-wide information systems to ease the effort for system admin of creating and managing user accounts and access rules.
Free; application required (Please refer to 4. CADS Application Procedures and Guidelines here)
24 X 7
|Central Authentication and Directory Service (CADS)||The service defined in this document. It includes the provision of user authentication and directory service through
|Local Authentication Mode||This refers to the authentication mode that makes use of computing ID but not OnePass (CWEM) password. This kind of system has its own password maintained by the IT System Owners (i.e. departments and units). User passwords are maintained locally at user department’s server.|
|IT Systems||Include both in-house developed IT applications and systems in the University.|
|OnePass Login Integration (CUHK Login via ADFS)||OnePass(CUHK Login via ADFS) system supports the Central Authentication and Directory Service. It allows users to pass between multiple applications with using one set of login credential(UPN and OnePass password) and without re-authentication.
OnePass supports the web-based authentication protocol through open standard, SAML(Security Assertion Markup Language) 2.0 for integrating SSO in applications. SAML-based SSO services can be used for federated authentication with service providers.
|Lightweight Directory Access Protocol (LDAP)||The CUHK Directory Service provides a campus-wide centralized database that contains information about students, staff, faculty and other units of the University. This service is supported by LDAP (Lightweight Directory Access Protocol). ITSC LDAP server is an authoritative source for storing university data including staff/student IDs, Computing IDs, e-mail address and other derived attributes. LDAP is used to support the Central Authentication and Directory Service. If the application for CADS is approved, ITSC will provide the IT System Owner a mechanism to interface with the LDAP server for user authentication via University computing account.|
|CUHK Computing Account||The login ID is the University ID /Computing ID / Email Address used in the Central Authentication and Directory Service. The associated password is the OnePass (CWEM) Password. It is a unique login identifier for each person in the CUHK computing community.|
The central authentication infrastructure built by ITSC provides a unified, secure and integrated method for verifying the electronic identity of all persons in the university community. It is an essential IT security enabler for campus-wide services, systems and applications.
By possession of a CUHK Staff or Student ID/Computing ID/Email Address, a student or staff, is not implicitly, granted an access to information or services. Their eligibility of an access right to information or services depends on their role or status (staff/retiree, student/alumni) with the University. Unit heads, or their service owners, are responsible for establishing the access policies for their services. They have to decide the access policies before applying for the Central Authentication and Directory Service supported by the central authentication infrastructure of ITSC.
Use of CUHK Staff or Student ID/Email Address and their OnePass (CWEM) password for authentication are strictly prohibited without prior application to ITSC. ITSC would approve application for CADS only if the IT System owner can compile to the guidelines as specified in tab 4 CADS Application Procedures and Guidelines here. ITSC will terminate the system from the use of CADS at anytime if ITSC finds any violation to terms in this policy document.
|4.1||To enable the ITSC staff to accurately maintain information about his/her by supplying current information including department affiliation, degree program (undergraduate or graduate), and the University position (faculty, staff, graduate staff, or student).|
|4.2||Not to provide false or misleading information .|
|4.3||To be responsible for any and all activities initiated by his or her account.|
|4.4||To be responsible for selecting a secure password for their account and for keeping that password secret at all times. Passwords should not be written down, stored on-line, or given to others. Passwords should never be given out to someone claiming to be an ITSC staff member; authorized ITSC staff members do not need to know individual user’s password.|
To use the Central Authentication and Directory Service (CADS), the IT System Owner is responsible for: