Using OnePass Service (CUHK Login via ADFS)

Using OnePass Service (CUHK Login via ADFS)

Before integrating with OnePass, application is required, you could find the application method, requirements, target audiences to be authenticated and the attributes released by OnePass below.

 

1. Application
  • Fill in the application form with Authentication Method: Federation through OnePass(ADFS). You also need to fill in the attributes required besides those core attributes listed in tab 4 – Attributes released by OnePass below.
  • After form submission, a reply through email would be sent to you with application no. assigned, information for vulnerability scanning and the contact of OnePass Team.
  • Contact OnePass Team if Shibboleth installation and configuration are done. OnePass Team will work with applicant for the rest of CADS application process.
2. Requirement for Using OnePass
  • Application server supports SAML 2.0
  • Web SSO Life Time on OnePass session is 480 minutes
  • HTTPS protocol must be used
  • Signing algorithm should be SHA256 for the federation
  • The application server time must be kept up-to-date and accurate. For CUHK servers, it is recommended to sync with ntp.cuhk.edu.hk
  • Logout button should be enhanced for global sign out OnePass session
3. Target Audiences to Be Authenticated
  • CUHK staff
  • CUHK student
  • CUHK Alumni graduated in/after 2015 (Alumni graduated before 2015 will be imported into AD before Q3 2017 and requires to change password once)
  • Project account

OnePass Service handles the authentication to the above audiences, authorization should be done at applications. E.g. if your application only allows CUHK staff to access, you need to filter out other audiences, a simply way is get the eduPersonAffiliation (see below) attribute for filtering.

4. Attributes released by OnePass
  • Core Attributes (The attributes are released by default)

AttributeID SAML 2 Names Value from AD Example
NameID  urn:oasis:names:tc:SAML:2.0:nameid-format:persistent UserPrincipalName peterchan@cuhk.edu.hk (Staff)
1188123456@link.cuhk.edu.hk (Student / Alumni)
objectGUID urn:oid:1.2.840.113556.1.4.2 objectGUID
(unique key of user)
kzGVAByOYki4z7CdR2yecA==
(base64 encoded)
eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1 Generated from OU and categorycode staff;member (Staff)
student;member (Students)
member (Projects)
alum (Alumni)
student;alum;member (Alumni also a student)
displayName urn:oid:2.16.840.1.113730.3.1.241 displayName Peter Chan (for student)
Peter Chan(Dept) (for staff)

  • Additional attributes (upon request)

AttributeID SAML 2 Names Value from AD Example
employeeNumber urn:oid:2.16.840.1.113730.3.1.3 universityid 345678 (for staff)
1188123456 (for student)
surname urn:oid:2.5.4.4 sn Chan (Available for staff and student only)
givenName urn:oid:2.5.4.42 givenName Tai Man (Available for staff and student only)
mail urn:oid:0.9.2342.19200300.100.1.3 mail alias@cuhk.edu.hk or alias@dept.cuhk.edu.hk (Staff)
StudentID@link.cuhk.edu.hk or alias@link.cuhk.edu.hk (Student)
alias@link.cuhk.edu.hk (Alumni) **

For more information about the specifics of the attributes released, please contact OnePass Team.

** Alumni are required to complete the opt in procedures to have a valid @Link email address here i.e. NOT in the format of AlumniID@link.cuhk.edu.hk.