LLMpediaThe first transparent, open encyclopedia generated by LLMs

CERN SSO

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: EOS (CERN) Hop 5
Expansion Funnel Raw 83 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted83
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
CERN SSO
NameCERN Single Sign-On
CaptionCERN computing logo
Formation1999
TypeAuthentication service
HeadquartersGeneva
Region servedWorldwide
Parent organizationEuropean Organization for Nuclear Research

CERN SSO is the centralized authentication infrastructure used by the European Organization for Nuclear Research to provide identity, access and session management across computing resources and services. It enables researchers, staff and collaborators from institutions such as University of Oxford, Massachusetts Institute of Technology, Stanford University, Imperial College London and member states to access applications like ATLAS experiment, CMS experiment, LHCb experiment, ALICE experiment and administrative systems with a single set of credentials. The service interfaces with external federations and providers including eduGAIN, InCommon, GEANT and national identity providers from countries such as France, Germany, Italy, Switzerland and United States.

Overview

CERN's centralized sign-on was developed to unify authentication for projects ranging from accelerator control systems used at Large Hadron Collider to data analysis frameworks relied upon by collaborations including ATLAS Collaboration and CMS Collaboration. The system issues session tokens and manages authentication flows for web applications, command-line tools, grid middleware like gLite and cloud platforms such as OpenStack and Kubernetes. It supports identity attributes needed by services like CERN Document Server, Indico, E-groups and CERN Box while connecting to external identities from institutions like École Polytechnique Fédérale de Lausanne, Johannes Gutenberg University Mainz and CERN Users’ Office records.

Authentication and Technology

CERN's authentication stack combines standards and bespoke components, leveraging protocols including SAML 2.0, OAuth 2.0, OpenID Connect and legacy mechanisms used by Kerberos and X.509 certificate infrastructures. It integrates with token services, two-factor authentication solutions such as U2F and TOTP apps, and hardware tokens issued by partner organizations like Yubico. Backend identity stores interoperate with databases and directory services such as LDAP and integrate with orchestration tools used by Docker and Ansible. Session management relies on secure cookie handling and token lifecycle policies informed by best practices from OWASP and cryptographic libraries used by projects like OpenSSL.

Account Management and Policies

Account provisioning follows administrative workflows coordinated with groups such as Human Resources Department at CERN, external collaboration boards like those governing ATLAS Collaboration and CMS Collaboration, and national representatives from CERN Council. Identity lifecycle covers onboarding, affiliation changes, suspension and termination, and is governed by policies aligned with agreements among member states including Treaty of Versailles (1919)-era successor arrangements in international organization governance contexts. Role-based and attribute-based access control models determine privileges for services like CERN Control Centre and research computing clusters used by High Energy Physics groups.

Security and Privacy

The service enforces multi-factor authentication, anomaly detection, and session timeout policies informed by threat models applied to infrastructure that supports experiments such as LHC Run 2 and LHC Run 3. Privacy protections implement data minimization consistent with regulations in jurisdictions like Switzerland and European Union legislation, and data handling aligns with agreements between CERN Data Protection Officer and collaborating institutions including European Commission research units. Incident response and forensic processes coordinate with CERT teams such as SwissCERT and national CSIRTs from countries represented in CERN membership.

Integration and Services

CERN SSO interoperates with scientific computing services including CERN OpenData, EOS storage, CASTOR archival systems, batch schedulers like HTCondor and analysis tools such as ROOT. It provides single sign-on for collaboration portals like Twiki instances, meeting platforms such as Vidyo and calendaring systems synchronized with accounts from Microsoft Exchange or open-source alternatives used across research groups. Integration extends to federated identity brokering for visitors from partner labs like Fermilab, TRIUMF, DESY, KEK and J-PARC.

History and Development

Origins of the centralized sign-on trace to early web-era needs at CERN during projects such as the development of the World Wide Web and subsequent growth of distributed collaborations exemplified by LHC Computing Grid. Incremental evolutions addressed challenges posed by large-scale experiments like ATLAS and CMS between the 2000s and 2010s, adopting standards promoted by bodies including OASIS and IETF. Ongoing development involves contributions from research computing teams, collaborative work with universities like University of Cambridge and industry partners including Red Hat and Google Cloud to modernize authentication for cloud-native deployments and federated research infrastructures.

Incidents and Compliance

The service has faced operational incidents typical for identity providers, triggering responses coordinated with internal units such as CERN Computer Security Team and external authorities like national data protection agencies in France and Switzerland. Compliance activities include audits against internal policies, alignment with frameworks relevant to research organizations like ISO/IEC 27001 and cooperation with funding agencies and oversight bodies including European Research Council and Member States of CERN oversight committees. Lessons from disruptions have driven enhancements to redundancy, monitoring and cross-federation trust mechanisms used by participating entities such as European Southern Observatory and university consortia.

Category:CERN Category:Single sign-on Category:Identity management systems