| Domain | Which research field are you serving? | Particle Physics |
| User Base | Who are your users? Are they affiliated with institutions in eduGAIN, external (e.g. guest, citizen science), or a mix? | A mixture of verified researchers (CERN account holders), and collaborators (eduGAIN, social logins) |
| Access Requirements | Does the sensitivity of your research require additional access approval mechanisms? Do you need fine-grained access control, or is basic authentication sufficient? | Fine grained access control per service |
| Scale | How many services do you plan to connect to your AAI? Which protocols do they require? What is a realistic estimate of effort required to migrate all users and services from one AAI to another in case of a crisis? | 12,000 OIDC clients. 250 SAML service providers. |
| Existing Infrastructure | Do you have an identity provider (IdP) or group management service already? | Yes |
| Sustainability | Can you commit operational resources, or do you need a hosted service? For how long will your AAI be required? Will your available support level be able to increase with growth of participating institutes or services? | In house technical support for the foreseeable future of the laboratory |
| Environment specific requirements | Do you need any physical connectivity to dedicated networks? Are IT interventions restricted to fixed time windows? Do you have any other unusual requirements that may not be supported by off the shelf solutions? | Many. Upgrades must be performed in specific windows. Specific network requirements for experiment hardware. Truly global user base, independence from any one sovereign state is paramount. Client/service management must be self-service for trusted users. |
Governance | Who will take responsibility for policy decisions regarding your AAI?Do they have enough authority over your research community to make high level statements and decisions, e.g. for data protection, security policy requirement etc? | Clear governance model exists for the laboratory |
Chosen AAI
The best option for this laboratory was to run their own AAI. Keycloak was chosen as a core technology with custom applications supporting CERN specific workflows. Not all AARC guidelines are followed to date (February 2026).
...
The AAI is fully operational. Due to not following all AARC Guidelines fully, occasionally challenges with interoperability are encountered and must be handled on a case by case basis.
...