LLMpediaThe first transparent, open encyclopedia generated by LLMs

CERN Single Sign-On

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: REANA Hop 5
Expansion Funnel Raw 101 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted101
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
CERN Single Sign-On
NameCERN Single Sign-On
DeveloperEuropean Organization for Nuclear Research, IT Department (CERN)
Released2000s
Programming languageJava (programming language), Python (programming language), JavaScript
Operating systemLinux, Microsoft Windows, macOS
PlatformWeb application, LDAP, Kerberos
GenreAuthentication, Identity management

CERN Single Sign-On is the centralized identity and access management service used by the European Organization for Nuclear Research to provide unified authentication and authorization across a broad ecosystem of services, applications, and research infrastructures. It enables staff, fellows, visiting scientists, collaborators from institutions such as University of Oxford, Massachusetts Institute of Technology, and École Polytechnique Fédérale de Lausanne to access resources ranging from computational clusters to collaboration platforms. The service sits at the intersection of large-scale scientific facilities and enterprise identity systems, interfacing with software and institutions like LDAP, Kerberos, Shibboleth, OAuth 2.0, and federated identity initiatives.

Overview

CERN Single Sign-On provides credentials management, session handling, and single authentication across systems including OpenStack, GitLab, Jenkins, Mattermost, and Indico. It supports integrations with campus identity providers such as University of Cambridge, Harvard University, and Swiss Data Center partners, as well as research infrastructures like Worldwide LHC Computing Grid and Open Science Grid. The system interacts with directory services such as Active Directory and identity standards like SAML 2.0, while enabling access to services hosted on EOS (CERN), CERNBox, and HTCondor pools. It underpins collaborations with experiments including ATLAS, CMS, ALICE, and LHCb.

History and Development

Development traces through milestones involving collaborations with projects and organizations such as European Grid Infrastructure, Enabling Grids for E-sciencE (EGEE), and the Worldwide LHC Computing Grid community. Early phases aligned with standards driven by Internet Engineering Task Force working groups and implementations from vendors like Microsoft and Red Hat. Upgrades over time referenced technologies used by Facebook, Google (company), and Twitter for scalable authentication and by research tools like CERN Open Data Portal and ROOT (data analysis framework). Institutional drivers included policies from Council of the European Union, agreements with partner laboratories like Fermilab, SLAC National Accelerator Laboratory, and technical coordination with European Southern Observatory.

Architecture and Technologies

The architecture combines centralized directory backends, federated identity brokers, and reverse proxies similar to deployments by Apache Software Foundation projects and NGINX. Core components include Lightweight Directory Access Protocol servers, token services implementing OAuth 2.0 and OpenID Connect, and SAML-based identity providers interacting with Shibboleth. Web front ends leverage frameworks and languages associated with Spring Framework, Django, and Node.js. Storage and logging integrate with systems like Elasticsearch, PostgreSQL, CERN MONIT, and Prometheus, while container orchestration uses Kubernetes and virtualization aligns with VMware and KVM. The platform interoperates with research data tools such as Zenodo, Invenio, and CERNBox.

Authentication and Authorization Mechanisms

Authentication flows incorporate multi-factor options influenced by implementations from Yubico, Duo Security, and standards from FIDO Alliance. Password policies and credential lifecycle follow practices comparable to those at European Commission agencies and major universities including University of California, Berkeley. Authorization employs role-based and attribute-based models used by Shibboleth and XACML-capable systems, enabling fine-grained access for collaborations like ATLAS and CMS and for services such as GitLab and JIRA (software). Integration with Kerberos enables ticket-based access to compute clusters and grid middleware used by CERN LHC Grid partners.

Security and Privacy Considerations

Security governance references standards and audits aligned with bodies such as ENISA, ISO/IEC 27001, and practices adopted by organizations like European Space Agency. Threat modeling addresses risks documented by CERT Coordination Center and mitigation patterns implemented in projects like OpenID Foundation guides. Privacy controls conform to General Data Protection Regulation provisions and involve coordination with institutional data protection officers from partners including Université de Genève and ETH Zurich. Incident response and forensics integrate tooling and processes similar to those used by SANS Institute and National Institute of Standards and Technology frameworks.

Integration and Use Cases

Use cases span publication platforms such as Invenio, collaborative services like CERN Document Server, developer platforms including GitHub, and computing resources such as Tier-0 (WLCG), Tier-1 (WLCG), and Tier-2 (WLCG) sites. It supports authentication for event management systems employed by CERN Open Days, conference platforms tied to ICHEP and EPS‑HEP, remote instrument access for facilities akin to European Synchrotron Radiation Facility, and data preservation projects coordinated with CERN Open Data Portal and Digital Curation Centre. Service authentication is used by experiment control rooms, shift management systems, and by digital identity federation with national research and education networks like GARR, SURFnet, and DFN-AAI.

Governance and Maintenance

Governance is overseen by administrative units within European Organization for Nuclear Research and coordinated with bodies such as IT Department (CERN), Accelerator Operations, and computing boards that include representatives from experiments like ATLAS and CMS. Maintenance cycles and roadmaps engage with open-source communities including Apache Software Foundation, Linux Foundation, and upstream projects like Kubernetes and PostgreSQL. Policy alignment and legal frameworks involve interactions with entities such as European Commission, national regulators, and partner laboratories including CERN Council member states.

Category:Identity management