Computer Security: New Single Sign-On

One fundamental pillar of the security of CERN and its digital assets is their protection against any unauthorised access. For any web application, this protection has for a long time been centrally controlled by CERN’s Single Sign-On (SSO) webpage, which asks for your one and only CERN password. New Year 2020 brings a new look (and functionality) to the Single Sign-On page. So that you don’t mistake this new page for malicious phishing, please read on.

CERN has made a tremendous effort to centralise all CERN-hosted but also externally provided web applications (like ServiceNOW) to use this central Single Sign-On portal*: CERN SSO. This avoids you needing to recall any more than just one password for CERN (and we acknowledge that memorising passwords is not that easy, see our Bulletin article entitled “CERN Secure Password Competition“) and provides you with one central portal for all your authentication attempts into CERN. One portal to rule them all.


home.cern,Computers and Control Rooms

Unfortunately, there are also many copycat fake webpages circulating on the Internet resembling CERN’s SSO page that aim to steal your CERN password and gain unauthorised access to CERN using your own (stolen) credentials. So, if you are a security aware Internet user – and we bet you are – you might be cautious when you see the new SSO page. Remember: STOP – THINK – DON’T CLICK! In order to avoid confusing the new CERN SSO page with a fake phishing site, have a look, here it is:

The most important security feature, since the look and feel can easily be spoofed, is the URL, so check the bar at the top of your browser. As shown encircled in red in the screenshot, the URL should start with “auth.cern.ch” or, ideally, “https://auth.cern.ch”, and be accompanied by a small lock icon showing that your communication is encrypted and that the corresponding certificate is valid. Any other webpage asking for your CERN password, aside from this new one and the current “old” one, should be treated with caution and be reported to us at [email protected] Similarly, if you see any error message popping up before the SSO page displays, please let us know too.

The new SSO portal will also benefit from more login options: external researchers can use their Edugain or similar federated identity, social identities from Google, Facebook and others are recognised for certain CERN applications, and – most importantly for CERN computer security – we will soon start rolling out multi-factor authentication for some critical CERN applications, too. Stay tuned to the CERN Bulletin for more on this.

/Public Release. View in full here.