中央認證及目錄服務

The Central Authentication and Directory Service (CADS) provides departments a solution of identity authentication & authorization that system administrators can conveniently manage the access control of their systems. Authentication will be done through ADFS (recommended for web applications) or LDAP.

Integrated with CADS, an information system can connect to university central user database, which is established and real-time updated, and enable user identity authentication and authorization functions for log-in requests. The CADS provides a unified access control for campus-wide information systems to ease the effort for system admin of creating and managing user accounts and access rules.

Available to

Departments

Service Charge and Application

Free; application required (Please refer to 4. CADS Application Procedures and Guidelines here)

Service Availability

24 X 7

Access to Service

Please see the list of Registered IT System under CADS (via Campus Network or CUHK / SSL VPN plus CUHK Login)

 

Terms Description
Central Authentication and Directory Service (CADS) The service defined in this document. It includes the provision of user authentication and directory service through

  • Staff/Student ID and OnePass (CWEM) password or
  • Staff/Student Computing ID and OnePass (CWEM) password or
  • Staff/Student Email Address (@cuhk.edu.hk or @link.cuhk.edu.hk) and OnePass (CWEM) password
Local Authentication Mode This refers to the authentication mode that makes use of computing ID but not OnePass (CWEM) password. This kind of system has its own password maintained by the IT System Owners (i.e. departments and units). User passwords are maintained locally at user department’s server.
IT Systems Include both in-house developed IT applications and systems in the University.
OnePass Login Integration (CUHK Login via ADFS) OnePass(CUHK Login via ADFS) system supports the Central Authentication and Directory Service. It allows users to pass between multiple applications with using one set of login credential(UPN and OnePass password) and without re-authentication.

OnePass supports the web-based authentication protocol through open standard, SAML(Security Assertion Markup Language) 2.0 for integrating SSO in applications. SAML-based SSO services can be used for federated authentication with service providers.

Lightweight Directory Access Protocol (LDAP) The CUHK Directory Service provides a campus-wide centralized database that contains information about students, staff, faculty and other units of the University. This service is supported by LDAP (Lightweight Directory Access Protocol). ITSC LDAP server is an authoritative source for storing university data including staff/student IDs, Computing IDs, e-mail address and other derived attributes. LDAP is used to support the Central Authentication and Directory Service. If the application for CADS is approved, ITSC will provide the IT System Owner a mechanism to interface with the LDAP server for user authentication via University computing account.
CUHK Computing Account The login ID is the University ID /Computing ID / Email Address used in the Central Authentication and Directory Service. The associated password is the OnePass (CWEM) Password. It is a unique login identifier for each person in the CUHK computing community.

The central authentication infrastructure built by ITSC provides a unified, secure and integrated method for verifying the electronic identity of all persons in the university community. It is an essential IT security enabler for campus-wide services, systems and applications.

By possession of a CUHK Staff or Student ID/Computing ID/Email Address, a student or staff, is not implicitly, granted an access to information or services. Their eligibility of an access right to information or services depends on their role or status (staff/retiree, student/alumni) with the University. Unit heads, or their service owners, are responsible for establishing the access policies for their services. They have to decide the access policies before applying for the Central Authentication and Directory Service supported by the central authentication infrastructure of ITSC.

Use of CUHK Staff or Student ID/Email Address and their OnePass (CWEM) password for authentication are strictly prohibited without prior application to ITSC. ITSC would approve application for CADS only if the IT System owner can compile to the guidelines as specified in tab 4 CADS Application Procedures and Guidelines here. ITSC will terminate the system from the use of CADS at anytime if ITSC finds any violation to terms in this policy document.

 

A. Responsibility of an Individual

  1. Any person who is issued a CUHK computing account must read and agree to a set of responsibilities set forth in Computer Network – Policies & Guidelines on Access and Usage in particular.
4.1 To enable the ITSC staff to accurately maintain information about his/her by supplying current information including department affiliation, degree program (undergraduate or graduate), and the University position (faculty, staff, graduate staff, or student).
4.2 Not to provide false or misleading information .
4.3 To be responsible for any and all activities initiated by his or her account.
4.4 To be responsible for selecting a secure password for their account and for keeping that password secret at all times. Passwords should not be written down, stored on-line, or given to others. Passwords should never be given out to someone claiming to be an ITSC staff member; authorized ITSC staff members do not need to know individual user’s password.
  1. Many online applications now require one’s CWEM password for authentication. In order to protect one’s interests, one should observe the guidelines for setting a strong password.
  2. If users have discovered that there are vulnerabilities in accessing any one of authorized information systems, they should inform the ITSC. The ITSC will work with the concerned information system owner to implement remedy solutions. If the information system owner refuses to implement remedy solutions, the ITSC has the right to stop the computer account access from the responsible information system.
  3. Should one suspects that his or her password has been compromised, he or she should change it immediately online at http://cai.itsc.cuhk.edu.hk/chgpwd and report the incident as documented.

B. Responsibility of ITSC

  1. As the owner of the CUHK computing accounts, the ITSC will act with prudence, diligence and due care to protect the data.
  2. Unauthorized access, collection, disclosure, modification or processing of the computer account information will be forbidden or blocked by ITSC without prior notice.

C. Responsibility of IT System Owner

To use the Central Authentication and Directory Service (CADS), the IT System Owner is responsible for:

  1. Making sure that basic security measures have been implemented in their information systems that are going to connect to CADS.
  2. Providing basic security measures include, but not limited to, the following settings: encrypt all data transmitted between the information system and CADS system, control the number of password trials, forbid any forms of password storage even temporarily, etc. More suggestions on security measures could be located in Information Security Best Practices.
  3. Allowing the ITSC to enlist information of their information systems in CADS-registered IT systems (via  Campus Network, CUHK / SSL VPN).
  4. Informing the authorized users of their system that the use of their computer account information for authentication has been authorized by the ITSC.
  5. Complying to The Personal Data (Privacy) Ordinance and IT Security Policy for Application Systems on Personal Data Handling when handling user data. Personal Information Collection (PIC) Statements must be published at an eye-catching area of the information system notifying the users the purpose(s) of collecting and using their computer account information.
  6. Maintaining a channel for their users for enquiring their policies on using personal data. A link to ITSC Service Desk (http://servicedesk.itsc.cuhk.edu.hk) for users to report any improper use of the University computing account information must be placed at the information system.
  7. Using the user authentication mechanism provided by ITSC on the designated IT System only.
  8. Using OnePass as the IT System landing page for OnePass enabled applications.
  9. Enforcing authorization on the IT system as CADS is for authentication or passing some attributes.
  10. Informing ITSC about the change of their IP address.
  11. Regarding systems or mobile apps developed by outsourcing vendors.
    1. The departments/colleges/faculties should get the source code especially corresponding coding for authentication.
    2. The systems or mobile apps must subsequently maintain by a full-time CUHK IT staff.
    3. A Non-Disclosure Agreement (NDA) policy has been set and a NDA form must be signed.

 

  1. Application to the use of CADS shall be submitted by the IT System Owner. The IT System Owner shall complete the CADS application form and submit it to ITSC
    • at the planning stage of the information system development; and
    • at least one month in advance before the production date of the system
  2. A CADS application must be endorsed by Department / Unit Head and is subject to annual renewal.
  3. On applying the service, the IT System Owner must be responsible for its system security and take the responsibility as specified in Part C of tab 3. Responsibility here.
  4. CADS will only serve systems that are connected to the campus network.
  5. The IT system must have strong physical security protection where access is limited to authorized personnel. ITSC may conduct onsite checking on the compliance of physical security.
  6. The IT system enabled with secure web communication (https) must be installed with a digital certificate which is default entrusted by popular Internet browsers including IE, Firefox, Safari, etc.
  7. Administration of the IT system must be performed by a qualified or a dedicated IT staff.
  8. The IT System will be reviewed by ITSC and have to pass the ITSC Vulnerability Assessment Test.
  9. For any IT systems which will handle personal data, they must comply with IT Security Policy for Application Systems on Personal Data Handling and the system owner must have the endorsement from the related data steward(s).
  10. The System Owner must provide ITSC with proper system documentation.
  11. The System Owner should follow the guidelines as set for OnePass Login Integration (CUHK Login via ADFS)
  12. After the CADS is approved by ITSC, the System Owner are encouraged to include the following on its web page.
    1. CADS logo:
      CADS Logo
    2. CADS reference number (via CUHK VPN / campus network)
    3. the message “This is a CADS-registered IT System. It passed the application procedures published at https://www.itsc.cuhk.edu.hk/all-it/information-security/centralized-authentication-and-directory-service and was approved by ITSC.”.
    4. For mobile apps
      • ITSC will publish passed assessment Mobile Apps to corresponding Apps Store with Publisher ID “The Chinese University of Hong Kong”.
        iOS : Apple Apps Stores
        Android : Google Play
      • (Advisory) For Mobile Apps development, a webpage should be created to list out supported Mobile platforms and shown proper installation steps for each mobile platform in order to get user awareness not to download phishing Apps from unknown Apps stores.