CERN Authentication and Authorization Services
The goal of the new CERN Authentication and Authorization Services are to provide a centralized authentication and authorization infrastructure.
The main components of the services are:
- A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols. This service is replacing the previous Single Sign-On service based on Microsoft ADFS.
- A Users Portal, where users can manage their own accounts.
- A Groups Portal, where users can define static and dynamic groups, including external (non-CERN) members.
- An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications authorization schemes.
- A Resources Portal, where users can visualize and manage their subscriptions to IT services and list their resources.
- An API that can be used to automate the users, groups and applications management (for extensive documentation of these entities check here).
- WLCG IAM instances; OAuth Token Issuers for CERN Experiment participants to access grid computing.
Roadmap (updated for Q2 2025)
The roadmaps show our team's current plans, by area of activity.
We plan our activities quarterly. Any request for features not currently in our plans will be considered at the next quarterly planning.
Some of the activities headers provide links to the corresponding epic task in our Jira project, if you want to follow the team's progress more closely.
Please note that the times provided are rough estimates, and that priorities can change over time.
Single Sign On | ||||||||||||||||||
Current What we work on now (Q2 2025) |
Near-term What we plan working on next (Q3 2025 - Q4 2025) |
Future What we investigate |
||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
||||||||||||||||
Groups Management System (GMS) | ||||||||||||||||||
Current What we work on now (Q2 2025) |
Near-term What we plan working on next (Q3 2025 - Q4 2025) |
Future What we investigate |
||||||||||||||||
|
|
|
||||||||||||||||
Resources Management | ||||||||||||||||||
Current What we work on now (Q2 2025) |
Near-term What we plan working on next (Q3 2025 - Q4 2025) |
Future What we investigate |
||||||||||||||||
|
|
|
||||||||||||||||
Certificate Authority | ||||||||||||||||||
Current What we work on now (Q2 2025) |
Near-term What we plan working on next (Q3 2025 - Q4 2025) |
Future What we investigate |
||||||||||||||||
|
|
|||||||||||||||||
WLCG IAM | ||||||||||||||||||
Current What we work on now (Q2 2025) |
Near-term What we plan working on next (Q3 2025 - Q4 2025) |
Future What we investigate |
||||||||||||||||
|
|
Recent Highlights
Q1 2025
- Release of new synchronisation for GMS
- SSO
- upgrade to Keycloak v 24
- support for authentication to the European Open Science Cloud
- integration of a more usable eduGAIN discovery service
- Progress on service integration for the Eligiblity Project (Openstack, Engineering Tools, Google Workspace)
- Improved database logic resulted in significant performance gains for SSO and the Authorization Service (affecting Eligibility, GMS, Accounts and more)
Q4 2024
- Release of the new lifecycle model for Computing Resource Eligibility
- Development of GMS mail settings complete
- MIM and WLCG IAM Cold Recovery tests completed successfully
- Creation of old-style lightweight accounts decommissioned in favour of inbuilt SSO users
- .Net 8 Upgrade of all services
Contact
See the dedicated contact page with ways to reach us and to stay in touch.