Abstract
Until recently, CERN had been considered eligible for academic pricing of Microsoft products. Now, along with many other research institutes, CERN has been disqualified from this educational programme and faces a 20 fold increase in license costs. CERN’s current Authentication and Authorization Infrastructure, dating from 2008, comprises multiple Microsoft services from the web Single-Sign-On to the Accounts Database. Replacing these core components is an opportunity to rebuild the CERN infrastructure using the latest technologies and concepts and to respond to evolving requirements of the community. It is also the appropriate moment to consider the alignment of CERN’s and the Worldwide LHC Computing Grid’s approaches to identity management, to create a more consistent environment for operators, developers and users. 2019 saw the launch of an Alpha version of CERN’s next generation Authentication and Authorization Infrastructure, focusing on free and open source products and responding to the limitations experienced by the current system. We describe the new solution and focus on key changes.
Highlights
CERN’s Authentication and Authorization Infrastructure (AAI) enables secure authentication of approximately 60,000 users to roughly 15,000 online services, ranging from scientific platforms to financial applications
In 2019, CERN IT rolled out an Alpha version of a new AAI
The architecture of the previous authentication and authorization infrastructure at CERN is centered around Active Directory [7], which acts as a central repository for user accounts, used for authentication, and groups, used for authorization
Summary
CERN’s Authentication and Authorization Infrastructure (AAI) enables secure authentication of approximately 60,000 users to roughly 15,000 online services, ranging from scientific platforms to financial applications. In 2019, CERN IT rolled out an Alpha version of a new AAI It represents a dramatic shift from the previous Kerberos [1] and Microsoft based system and brings significant advantages in usability for end-users and software maintainers, the protection of personal data and the convergence of services towards token based authorization. Instead of identifying a like-for-like replacement for the previous software stack, the following principles were adopted during the design of CERN’s new AAI: identify suitable alternatives based on use cases not products, prioritise free and open source software, stick to standards, contribute back to the community, and stay in line with users’ and service’s requirements. After migrating services to the new SSO, a process anticipated to take several years, changing the Directory Services should be largely transparent to users and many software maintainers
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
