Before integrating with OnePass, application is required, you could find the application method, requirements, target audiences to be authenticated and the attributes released by OnePass below.
Fill in the application form with Authentication Method: Federation through OnePass(ADFS). You also need to fill in the attributes required besides those core attributes listed in tab 4 – Attributes released by OnePass below.
After form submission, a reply through email would be sent to you with application no. assigned, information for vulnerability scanning and the contact of OnePass Team.
Contact OnePass Team if Shibboleth installation and configuration are done. OnePass Team will work with applicant for the rest of CADS application process.
2. Requirement for Using OnePass
Application server supports SAML 2.0
Web SSO Life Time on OnePass session is 480 minutes
HTTPS protocol must be used
Signing algorithm should be SHA256 for the federation
The application server time must be kept up-to-date and accurate. For CUHK servers, it is recommended to sync with ntp.cuhk.edu.hk
Logout button should be enhanced for global sign out OnePass session
3. Target Audiences to Be Authenticated
CUHK Alumni graduated in/after 2015 (Alumni graduated before 2015 will be imported into AD before Q3 2017 and requires to change password once)
CUHK eligible users e.g. Project Account
OnePass Service handles the authentication to the above audiences, authorization should be done at applications. E.g. if your application only allows CUHK staff to access, you need to filter out other audiences, a simply way is get the eduPersonAffiliation (see below) attribute for filtering.
4. Attributes released by OnePass
Core Attributes (The attributes are released by default)
such as Email Address, Role (Staff/Student/Alumni), Display Name
Upon request and requires approval
For more information about the specifics of the attributes released, please contact ITSC Service Desk.