Skip to content

Verified Guest Accounts

Users with a Person ID are know individuals that have a relationship with CERN. Not all people with a Person ID have a CERN account (i.e. a CERN user name and password). This could be because:

  • They are not currently in a contractual relationship with CERN (e.g. ex employees)
  • They are retired
  • They have a status that does not give them a CERN account (e.g. some contractors)

It is possible to have a non-CERN account "verified", i.e. linked to a CERN user thereby allowing those accounts to be identified as the real person when they authenticate with SSO.

How to verify a non-CERN account

CERN Users with an active account can link them themselves by following this Service Desk Procedure.

Service Desk can link them via a separate Service Desk Procedure - Access Restricted.

Examples

User linked account

Jane Doe is a STAF member in BE with a primary account. She has linked her guest account (created with her hotmail email address) to her Identity so that she will be able to access her tax certificates & alumni platform after her contract ends.

When she leaves CERN, her CERN account will expire but her guest account will remain. She can log in with this to get her tax certificate etc.

Service Desk linked account

Peter Doe left CERN without linking a personal account. He has no way to log in to CERN and be identified as himself.

Peter contacts the service desk, proves his identity and gets his guest account (created with a hotmail email) verified. Now he can access his tax certificate.

What is in the authentication token?

For verified non-CERN accounts, the token content for SAML or OIDC will contain all information. There is an exception for information that is directly linked to ownership of a CERN account e.g. CernMailUpn.

How can I identify verified non-CERN accounts programatically?

All verified users have a Person ID in their SSO token. If this is not enough for your use case, you may want to leverage these groups to better categorise your users:

  • cern-non-active-users contains all known users that are inactive (e.g. retirees, ex employees, contractors without a CERN account). It contains verified non-CERN accounts.
  • cern-active-users contains active CERN users that have a CERN account

We suggest linking these to SSO roles where appropriate.