Central Authentication and Directory Service (CADS)
The Central Authentication and Directory Service (CADS) provides departments a solution of identity authentication & authorization that system administrators can conveniently manage the access control of their systems. Authentication will be done through ADFS (recommended for web applications) or LDAP.
Integrated with CADS, an information system can connect to university central user database, which is established and real-time updated, and enable user identity authentication and authorization functions for log-in requests. The CADS provides a unified access control for campus-wide information systems to ease the effort for system admin of creating and managing user accounts and access rules.
Central Authentication and Directory Service (CADS)
The service defined in this document. It includes the provision of user authentication and directory service through
Staff/Student ID and OnePass password or
Staff/Student Computing ID and OnePass password or
Staff/Student Email Address (@cuhk.edu.hk or @link.cuhk.edu.hk) and OnePass password
Local Authentication Mode
This refers to the authentication mode that makes use of computing ID but not OnePass password. This kind of system has its own password maintained by the IT System Owners (i.e. departments and units). User passwords are maintained locally at user department’s server.
IT Systems
Include both in-house developed IT applications and systems in the University.
OnePass Login Integration (CUHK Login via ADFS)
OnePass(CUHK Login via ADFS) system supports the Central Authentication and Directory Service. It allows users to pass between multiple applications with using one set of login credential(UPN and OnePass password) and without re-authentication.
OnePass supports the web-based authentication protocol through open standard, SAML(Security Assertion Markup Language) 2.0 for integrating SSO in applications. SAML-based SSO services can be used for federated authentication with service providers.
Lightweight Directory Access Protocol (LDAP)
The CUHK Directory Service provides a campus-wide centralized database that contains information about students, staff, faculty and other units of the University. This service is supported by LDAP (Lightweight Directory Access Protocol). ITSC LDAP server is an authoritative source for storing university data including staff/student IDs, Computing IDs, e-mail address and other derived attributes. LDAP is used to support the Central Authentication and Directory Service. If the application for CADS is approved, ITSC will provide the IT System Owner a mechanism to interface with the LDAP server for user authentication via University computing account.
CUHK Computing Account
The login ID is the University ID /Computing ID / Email Address used in the Central Authentication and Directory Service. The associated password is the OnePass Password. It is a unique login identifier for each person in the CUHK computing community.
The central authentication infrastructure built by ITSC provides a unified, secure and integrated method for verifying the electronic identity of all persons in the university community. It is an essential IT security enabler for campus-wide services, systems and applications.
By possession of a CUHK Staff or Student ID/Computing ID/Email Address, a student or staff, is not implicitly, granted an access to information or services. Their eligibility of an access right to information or services depends on their role or status (staff/retiree, student/alumni) with the University. Unit heads, or their service owners, are responsible for establishing the access policies for their services. They have to decide the access policies before applying for the Central Authentication and Directory Service supported by the central authentication infrastructure of ITSC.
Use of CUHK Staff or Student ID/Email Address and their OnePass password for authentication are strictly prohibited without prior application to ITSC. ITSC would approve application for CADS only if the IT System owner can compile to the guidelines as specified in tab 4 CADS Application Procedures and Guidelines here. ITSC will terminate the system from the use of CADS at anytime if ITSC finds any violation to terms in this policy document.
To enable the ITSC staff to accurately maintain information about his/her by supplying current information including department affiliation, degree program (undergraduate or graduate), and the University position (faculty, staff, graduate staff, or student).
4.2
Not to provide false or misleading information .
4.3
To be responsible for any and all activities initiated by his or her account.
4.4
To be responsible for selecting a secure password for their account and for keeping that password secret at all times. Passwords should not be written down, stored on-line, or given to others. Passwords should never be given out to someone claiming to be an ITSC staff member; authorized ITSC staff members do not need to know individual user’s password.
Many online applications now require one’s OnePass password for authentication. In order to protect one’s interests, one should observe the guidelines for setting a strong password.
If users have discovered that there are vulnerabilities in accessing any one of authorized information systems, they should inform the ITSC. The ITSC will work with the concerned information system owner to implement remedy solutions. If the information system owner refuses to implement remedy solutions, the ITSC has the right to stop the computer account access from the responsible information system.
Should one suspects that his or her password has been compromised, he or she should change it immediately online at http://cai.itsc.cuhk.edu.hk/chgpwd and report the incident as documented.
B. Responsibility of ITSC
As the owner of the CUHK computing accounts, the ITSC will act with prudence, diligence and due care to protect the data.
Unauthorized access, collection, disclosure, modification or processing of the computer account information will be forbidden or blocked by ITSC without prior notice.
C. Responsibility of IT System Owner
To use the Central Authentication and Directory Service (CADS), the IT System Owner is responsible for:
Making sure that basic security measures have been implemented in their information systems that are going to connect to CADS.
Providing basic security measures include, but not limited to, the following settings: encrypt all data transmitted between the information system and CADS system, control the number of password trials, forbid any forms of password storage even temporarily, etc. More suggestions on security measures could be located in Information Security Best Practices.
Allowing the ITSC to enlist information of their information systems in CADS-registered IT systems (via Campus Network / CUHK VPN).
Informing the authorized users of their system that the use of their computer account information for authentication has been authorized by the ITSC.
Complying to The Personal Data (Privacy) Ordinance and IT Security Policy for Application Systems on Personal Data Handling when handling user data. Personal Information Collection (PIC) Statements must be published at an eye-catching area of the information system notifying the users the purpose(s) of collecting and using their computer account information.
Maintaining a channel for their users for enquiring their policies on using personal data. A link to ITSC Service Desk (http://servicedesk.itsc.cuhk.edu.hk) for users to report any improper use of the University computing account information must be placed at the information system.
Using the user authentication mechanism provided by ITSC on the designated IT System only.
Using OnePass as the IT System landing page for OnePass enabled applications.
Enforcing authorization on the IT system as CADS is for authentication or passing some attributes.
Informing ITSC about the change of their IP address.
Regarding systems or mobile apps developed by outsourcing vendors.
The departments/colleges/faculties should get the source code especially corresponding coding for authentication.
The systems or mobile apps must subsequently maintain by a full-time CUHK IT staff.
Application to the use of CADS shall be submitted by the IT System Owner. The IT System Owner shall complete the CADS application form and submit it to ITSC
at the planning stage of the information system development; and
at least one month in advance before the production date of the system
A CADS application must be endorsed by Department / Unit Head and is subject to annual renewal.
On applying the service, the IT System Owner must be responsible for its system security and take the responsibility as specified in Part C of tab 3. Responsibility here.
CADS will only serve systems that are connected to the campus network.
The IT system must have strong physical security protection where access is limited to authorized personnel. ITSC may conduct onsite checking on the compliance of physical security.
The IT system enabled with secure web communication (https) must be installed with a digital certificate which is default entrusted by popular Internet browsers including IE, Firefox, Safari, etc.
Administration of the IT system must be performed by a qualified or a dedicated IT staff.
the message “This is a CADS-registered IT System. It passed the application procedures published at https://www.itsc.cuhk.edu.hk/all-it/information-security/centralized-authentication-and-directory-service and was approved by ITSC.”.
ITSC will publish passed assessment Mobile Apps to corresponding Apps Store with Publisher ID “The Chinese University of Hong Kong”.
iOS : Apple Apps Stores
Android : Google Play
(Advisory) For Mobile Apps development, a webpage should be created to list out supported Mobile platforms and shown proper installation steps for each mobile platform in order to get user awareness not to download phishing Apps from unknown Apps stores.
This website uses Cookies, including Cookies from Google Analytics, to ensure you get the best browsing experience. If you “Continue” to use this site, you consent to the use of Cookies. Read more about Cookies
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.