Integration with OnePass on Other Servers (CUHK Login via ADFS)

Information included on this page will help you to install and use Shibboleth for authentication and integration with OnePass on an Linux or Windows or other servers.

Integration with OnePass – Others

Service Provider using SaaS or the platforms other from Linux and Windows

1. Requirements & Configuration

Support SAML 2.0
SSL enabled
Signing algorithm should be SHA256 for the federation
The application server time must be kept up-to-date and accurate
Metadata must be signed
Change Session lifetime=”28800” timeout=”1200”
Update SSO entityID to OnePass entityIDs on UAT / Production environments
UAT: http://stsu.itsc.cuhk.edu.hk/adfs/services/trust
Production: http://sts.cuhk.edu.hk/adfs/services/trust
Update MetadataProvider to OnePass UAT / Production environments
UAT: https://stsu.itsc.cuhk.edu.hk/federationmetadata/2007-06/federationmetadata.xml
Production: https://sts.cuhk.edu.hk/federationmetadata/2007-06/federationmetadata.xml
Logout button should be enhanced for global sign out OnePass session

2. Attributes Mapping

Core Attributes (The attributes are released by default)

AttributeID	Reference for Attributes Mapping
NameID	<Attribute name=”urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” id=”NameID”/>
objectGUID	<Attribute name=”urn:oid:1.2.840.113556.1.4.2″ id=”objectGUID”/>
eduPersonAffiliation	<Attribute name=”urn:oid:1.3.6.1.4.1.5923.1.1.1.1″ id=”unscoped-affiliation”> <AttributeDecoder xsi:type=”StringAttributeDecoder” caseSensitive=”false”/> </Attribute>
displayName	<Attribute name=”urn:oid:2.16.840.1.113730.3.1.241″ id=”displayName”/>

Additional attributes (upon request)

AttributeID	SAML 2 Names
employeeNumber	<Attribute name=”urn:oid:2.16.840.1.113730.3.1.3″ id=”employeeNumber”/>
surname	<Attribute name=”urn:oid:2.5.4.4″ id=”sn”/>
givenName	<Attribute name=”urn:oid:2.5.4.42″ id=”givenName”/>

Restart shibboleth service after configuration, and check any error at C:\opt\shibboleth-sp\var\log\shibboleth\

3. Integration Work with OnePass Team

Provide your CADS no. to OnePass Team
The entity ID of your application
Provide Service Provider Metadata URL, must be accessible from campus network 137.189.8.0/24 and signed
The core attributes would be passed to your application by default, additional attributes need by request
Include OnePass Logout URL plus your application logout together for your logout button
UAT environment: https://stsu.itsc.cuhk.edu.hk/adfs/ls/?wa=wsignout1.0
Production environment: https://sts.cuhk.edu.hk/adfs/ls/?wa=wsignout1.0
OnePass team would import your metadata and have configuration on OnePass Testing platform, email notification with testing accounts would be sent to you once ready for test
Test completion, vulnerability scanning must be pass before migrating to OnePass Production environment