Using OnePass Service (CUHK Login via ADFS)

Before integrating with OnePass, application is required, you could find the application method, requirements, target audiences to be authenticated and the attributes released by OnePass below.


  • Fill in the application form with Authentication Method: Federation through OnePass(ADFS). You also need to fill in the attributes required besides those core attributes listed in tab 4 – Attributes released by OnePass below.
  • After form submission, a reply through email would be sent to you with application no. assigned, information for vulnerability scanning and the contact of OnePass Team.
  • Contact OnePass Team if Shibboleth installation and configuration are done. OnePass Team will work with applicant for the rest of CADS application process.
  • Application server supports SAML 2.0
  • Web SSO Life Time on OnePass session is 480 minutes
  • HTTPS protocol must be used
  • Signing algorithm should be SHA256 for the federation
  • The application server time must be kept up-to-date and accurate. For CUHK servers, it is recommended to sync with
  • Logout button should be enhanced for global sign out OnePass session
  • CUHK staff
  • CUHK student
  • CUHK Alumni graduated in/after 2015 (Alumni graduated before 2015 will be imported into AD before Q3 2017 and requires to change password once)
  • CUHK eligible users e.g. Project Account

OnePass Service handles the authentication to the above audiences, authorization should be done at applications. E.g. if your application only allows CUHK staff to access, you need to filter out other audiences, a simply way is get the eduPersonAffiliation (see below) attribute for filtering.

  • Core Attributes (The attributes are released by default)
    • such as Email Address, Role (Staff/Student/Alumni), Display Name
  • Additional attributes
    • Upon request and requires approval

For more information about the specifics of the attributes released, please contact ITSC Service Desk.