CERN Authentication and Authorization Services

The goal of the new CERN Authentication and Authorization Services are to provide a centralized authentication and authorization infrastructure.

The main components of the services are:

• A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols.
• A Users Portal, where users can manage their own accounts.
• A Group Management System (GMS), where users can define and manage access control groups and mailing lists.
• An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications' authorization schemes.
• A Resources Portal, where users can visualize and manage their subscriptions to IT services and list their resources.
• The Authorization Service API that can be used to automate the users, groups, resources and applications management.

Several additional services are operated by the same team:

• WLCG IAM instances, that act as OAuth Token Issuers for CERN Experiment participants to access grid computing.
• Certificate Authorities, that provides digital certificates for CERN users, hosts and services.

Roadmap (updated for Q3 2025)

The roadmaps show our team's current plans, by area of activity.

We plan our activities quarterly. Any request for features not currently in our plans will be considered at the next quarterly planning.

Some of the activities headers provide links to the corresponding epic task in our Jira project, if you want to follow the team's progress more closely.

Please note that the times provided are rough estimates, and that priorities can change over time.

Single Sign On
Current What we work on now (Q3 2025)	Near-term What we plan working on next (Q4 2025 - Q1 2026)	Future What we investigate
Upgrade to Keycloak 26 Upgrade Keycloak (the software behind SSO) to version 26, bringing various improvements and bug fixes. Improve two-factor authentication (2FA) usability Allow more than one WebAuthn hardware token, and other usability improvements. Password policy update Enforce new password rules for existing passwords. Non compliant passwords, i.e. less than 15 characters or using a compromised password, will be prompted to change whilst authenticating through SSO.	Enable 2FA for eduGAIN access Eligible CERN account holders will be prompted for their 2FA when accessing eduGAIN services. Upgrade to next Keycloak version Upgrade Keycloak (the software behind SSO) to the next version, bringing various improvements and bug fixes. Aiming for YETS 2025.	Additional Login Methods Add support for more login methods requested by the community (Apple ID, ORCID)
Groups Management System (GMS)
Current What we work on now (Q3 2025)	Near-term What we plan working on next (Q4 2025 - Q1 2026)	Future What we investigate
Improve dynamic groups management and integrate with AIS roles Improve the dynamic groups population mechanism and integrate with AIS roles, so that it is possible to define a dynamic group with a roles-based criteria and populate a role with a GMS group. Direct synchronization to Active Directory and Mail Service Replace the current synchronization mechanism to LDAP and mail services so that GMS is the source of truth instead of EGroups. This will enable the removal of lightweight accounts from Active Directory. Migration Ensure that EGroups clients can migrate to the new GMS.	Computing Groups Support setting groups as "Computing Groups", i.e. in a specific part of Active Directory and synchronised to Linux systems, through GMS.	EGroups decommissioning Plan and execute the EGroups decommissioning in collaboration with FAP/BC.
Resources Management
Current What we work on now (Q3 2025)	Near-term What we plan working on next (Q4 2025 - Q1 2026)	Future What we investigate
Eligibility and Lifecycle: service integration Integrate Openstack, Engineering Tools, Google Workspace and AFS in the new Resources portal, in compliance with the Eligibility framework. Eligibility and Lifecycle Templates Provide code templates to assist with service integration to the Resources Portal. Decommission lightweight accounts Remove all dependency on legacy lightweight accounts (e.g. by Mail and AD) and provide alternatives.	Password policy update Enforce new password rules for existing passwords by ensuring that password changes are only possible via the Authorization Service API. Disable native Active Directory password changes. Account Management Migration Complete the migration of account management services to new infrastructure	Eligibility and Lifecycle: Resource Groups (Tenants) Group resources together to improve resources categorization and cost tracking.
Certificate Authority
Current What we work on now (Q3 2025)	Near-term What we plan working on next (Q4 2025 - Q1 2026)	Future What we investigate
Replace Hardware Security Module Replace the Hardware Security Module used by the Intermediate CAs, due to end of life. DFS migration for legacy sites Ensure DFS sites are migrated or retired ahead of decommissioning deadline.		Integrate Sectigo CA There is significant interest from CERN IT and the WLCG to integrate a publicly trusted CA for host and user certificates. This is currently on hold due to other priorities in the team.
WLCG IAM
Current What we work on now (Q3 2025)	Near-term What we plan working on next (Q4 2025 - Q1 2026)	Future What we investigate
WLCG IAM Features Enhance the INDIGO IAM software to meet the needs of CERN experiments. AARC Contribute to the European Commission funded project AARC Tree to ensure interoperability between WLCG, CERN and the wider community. EOSC Integration Enable Authentication and Authorisation for CERN's long term integration in the European Open Science Cloud.	WLCG Data Challenge 2026 Ensure WLCG IAM instances are able to support the upcoming WLCG Data Challenge.

Recent Highlights

Q2 2025

• Successfully integrated OpenStack and Google Workspace into the newly redesigned Resources Portal. Significant progress made towards the goals of the Eligibility Project.
• Approaching feature completion for GMS, with a significant number of clients actively migrating.
• Implemented the synchronisation of ORCID IDs from the HR system into the Authorization Service, with ORCID management possible via the Users Portal.
• Completed cleanup of several legacy Single Sign-On (SSO) components, including the 2FA realm and the Keycloak bridge.
• Implemented password policy enhancements in alignment with Cyber Security Audit requirements.
• Decommissioned legacy EDH password management features.
• DBOD upgrades completed on time with minimal impact to services.

Q1 2025

• Released new synchronisation functionality for the GMS platform.
• Upgraded Single Sign-On (SSO) infrastructure to Keycloak version 24.
• Enabled authentication support for the European Open Science Cloud via SSO.
• Integrated an enhanced eduGAIN discovery service to improve user experience.
• Optimised database logic, resulting in significant performance improvements for SSO and the Authorization Service, benefiting systems such as Eligibility, GMS, and Accounts.

Contact

See the dedicated contact page with ways to reach us and to stay in touch.