Revolution when logging into CERN: the new Single Sign-On Portal

Up to now, access to non-public CERN web applications was protected by the CERN Single Sign-On portal (CERN SSO) and required your CERN password. However, given that many people have also a computing account at their home institute, or with Facebook or Google, wouldn’t it make sense to allow those accounts to be used for logging into CERN as well? 

 

We believe it does, and therefore the CERN SSO Team has extended the SSO portal’s functionality and laid the foundations for using so-called “Public Accounts” and “Federated Accounts” as well as for Second-Factor Authentication. The changes will be deployed on 21 January. You can have a sneak preview here. It is now up to you, web administrators and website owners, to take advantage of these nice new features, and enable your clients to use their external accounts:

Public Accounts
Some web applications are quasi-public and only require an e-mail address as an internal handle (like the CERN Market website). Today, interested users would be required to create a dedicated “lightweight” account, and many just duplicate their Google or Facebook account. Instead, web administrators can explicitly permit the usage of external accounts like those of Google, Facebook, Windows Live, Yahoo! or Orange. Users are in that case redirected to the corresponding identity provider for login purposes before they can enter a web application hosted at CERN. In the long run, this would enable us to eventually phase-out lightweight accounts.

Federated Accounts
Other web applications (like the USATLAS Twiki) need to grant access not only to selected CERN people but also to others such as BNL staff. But why should all those BNL people now need to obtain a CERN account just to enter that web application? It would be better to let them log in with their home institute account and password instead. Thus, CERN has joined discussions on so-called “Federated Identities” in order to define trust relationships and technologies such that Federated Identities can be reliably and securely used to log into CERN. As a first step, a few initial Federations have been established (e.g. with SWITCH) and we are looking forward to extending this number during 2013.

Two-Factor Authentication
On the other hand, if access protection to your web application is paramount (like for the Computer Security Team’s internal Wiki), the new SSO portal gives you the possibility to enable “Second Factor Authentication” (i.e. in addition to something your users know such as their password, they would need something they have with them, such as their CERN access card, a USB dongle, or a mobile phone). Only users who can provide the certificate stored on their CERN access card, who can produce a one-time password by their personal USB dongle (“Yubikey”), or who can copy a dedicated 6-digit number received or produced by their registered mobile phone, would be able to log into your application. This gives additional protection to critical web services and avoids the misuse of the application if a user password has been stolen.

What do you need to do?
As a web administrator or website owner, you would just need to configure the SSO portal for your site once and declare which authentication method you allow to be used. As a user, you would need declare your Federated Account with us (at http://account.cern.ch). Also, remember the benefits of “One-Click Authentication”: instead of retyping your password, you can also use the locally cached Windows or Kerberos credentials, or you can log in using your CERN certificate (available from the CERN Certification Authority at http://ca.cern.ch).

So you see, there is a revolution coming up. While the CERN Single Sign-On Team will deploy the foundation for Second Factor Authentication and the usage of Public & Federated Accounts on 21 January, it is now up to you as a web administrator to take advantage of this extended functionality! We will continue to enlarge the partners of Identity Federations and continue to work on integrating those web applications which do not yet use CERN SSO.

For further information and details, please see the corresponding presentation given at the IT User Meeting of 8 October 2012, check the SSO web site or contact us via service-desk@cern.ch or Computer.Security@cern.ch.

by CERN Single Sign-On Team & the Computer Security Team