Speaker
Description
Identity and Access Management (IAM) in a large scale research collaboration typically serves both organisational and distributed community needs. CERN operates at this intersection, balancing local institutional requirements with those of a worldwide ecosystem of scientific partners.
This presentation will outline the evolution of CERN’s Single Sign-On platform (based on Keycloak) and the parallel development of dedicated token issuers (using INDIGO IAM) that support the WLCG token transition strategy. It will put the distinct systems in context and highlight observed trends in the adoption of token-based authentication and authorisation.
CERN’s inclusion as a foundational node in the European Open Science Cloud (EOSC) marks an important step towards deeper integration between Research Authentication and Authorisation Infrastructures (AAIs). Together with partners across Europe and beyond, we are contributing to the establishment of cross-AAI trust frameworks, breaking out of the current hierarchical model and spearheading the adoption of OpenID Federation.
This work builds on many years of collaboration through the Federated Identity Management for Research (FIM4R) initiative and the EC-funded AARC (Authentication and Authorisation for Research and Collaboration) projects. The shared investment in technical standards and policy frameworks is now reaching maturity: in 2026 we expect to see its true value as Research Collaborations begin to trust each other’s token issuers in practice.
This contribution is submitted on behalf of CERN’s Identity and Access Management (IT-PW-IAM) team in collaboration with the WLCG Authorisation Working Group, CERN’s EOSC Task Force and the AARC TREE project.