Abstract
The new CERN Single-Sign-On (SSO), built around an open source stack, has been in production for over a year and many CERN users are already familiar with its approach to authentication, either as a developer or as an end user. What is visible upon logging in, however, is only the tip of the iceberg. Behind the scenes there has been a significant amount of work taking place to migrate accounts management and to decouple Kerberos [1] authentication from legacy Microsoft components. Along the way the team has been engaging with the community through multiple fora, to make sure that a solution is provided that not only replaces functionality but also improves the user experience for all CERN members. This paper will summarise key evolutions and clarify what is to come in the future.
Highlights
The Malt Authentication and Authorization Project (Malt Auth) was established to migrate CERN’s Identity and Access Management system to a vendor-independent, open source, microservice architecture [2]
One of the major improvements is the possibility for users to choose between One Time Passwords (OTP) and WebAuthN [4] hardware tokens (Yubikey) as second factor authentication (2FA) possibilities
A 2FA service is provided to allow users with CERN accounts to configure an additional token - some applications base access constraints on whether or not a user has authenticated with 2FA
Summary
The Malt Authentication and Authorization Project (Malt Auth) was established to migrate CERN’s Identity and Access Management system to a vendor-independent, open source, microservice architecture [2]. It is part of the wider Malt Project [3] and is one of the most complex areas in which CERN is seeking to re-assess the IT Provisioning Strategy for core services. A new version of CERN’s SSO was released in 2019 and, as of February 2021, has over 3000 registered applications This constitutes a significant proportion of the roughly 15000, applications that were configured on the old SSO but indicates that there is much work remaining to complete the migration. The goal for the coming years is to complete the transition and to improve the service offering along the way
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
