Skip to content

CERN Authentication and Authorization Services

The goal of the new CERN Authentication and Authorization Services are to provide a centralized authentication and authorization infrastructure.

The main components of the services are:

  • A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols. This service is replacing the previous Single Sign-On service based on Microsoft ADFS.
  • A Users Portal, where users can manage their own accounts.
  • A Groups Portal, where users can define static and dynamic groups, including external (non-CERN) members.
  • An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications authorization schemes.
  • A Resources Portal, where users can visualize and manage their subscriptions to IT services and list their resources.
  • An API that can be used to automate the users, groups and applications management (for extensive documentation of these entities check here).
  • WLCG IAM instances; OAuth Token Issuers for CERN Experiment participants to access grid computing.

Roadmap (updated for Q2 2025)

The roadmaps show our team's current plans, by area of activity.

We plan our activities quarterly. Any request for features not currently in our plans will be considered at the next quarterly planning.

Some of the activities headers provide links to the corresponding epic task in our Jira project, if you want to follow the team's progress more closely.

Please note that the times provided are rough estimates, and that priorities can change over time.

Single Sign On
Current
What we work on now
(Q2 2025) 		Near-term
What we plan working on next
(Q3 2025 - Q4 2025) 		Future
What we investigate
Upgrade to Keycloak 26
Upgrade Keycloak (the software behind SSO) to version 26, bringing various improvements and bug fixes.
Simplify two-factor authentication (2FA)
Remove a separate realm for 2FA, and simplify the login flow and internal 2FA mechanisms.
Improve two-factor authentication (2FA) usability
Allow more than one WebAuthn hardware token, and other usability improvements.
Additional Login Methods
Add support for more login methods requested by the community (Apple ID)
Groups Management System (GMS)
Current
What we work on now
(Q2 2025) 		Near-term
What we plan working on next
(Q3 2025 - Q4 2025) 		Future
What we investigate
Improve dynamic groups management and integrate with AIS roles
Improve the dynamic groups population mechanism and integrate with AIS roles, so that it is possible to define a dynamic group with a roles-based criteria and populate a role with a GMS group.
Direct synchronization to Active Directory and Mail Service
Replace the current synchronization mechanism to LDAP and mail services so that GMS is the source of truth (which currently is EGroups).
Gather feedback
Once most features are available, promote the portal and API usage to ensure stability and gather feedback on development priorities.
Missing features
Implement any missing feature.
Migration
Ensure that EGroups clients can migrate to the new GMS.
EGroups decommissioning
Plan and execute the EGroups decommissioning in collaboration with FAP/BC.
Resources Management
Current
What we work on now
(Q2 2025) 		Near-term
What we plan working on next
(Q3 2025 - Q4 2025) 		Future
What we investigate
Eligibility and Lifecycle: service integration
Integrate Openstack, Engineering Tools, Google Workspace and AFS in the new Resources portal, in compliance with the Eligibility framework.
Password policy update
Update the password policies to tighten security.
Decommission lightweight accounts
Remove all dependency on legacy lightweight accounts (e.g. by Mail and AD) and provide alternatives.
EDH Password removal
Remove logic for EDH passwords as they are being removed.
Eligibility and Lifecycle Hackathon
Organize a hackathon / workshop with service managers to kick off services integration with the eligibility framework and the new Resources Portal.
Account Management Migration
Plan the project to complete account management migration to new infrastructure
Eligibility and Lifecycle: Resource Groups (Tenants)
Group resources together to improve resources categorization and cost tracking.
Eligibility and Lifecycle: migrate all resources
Ensure that all resources and services using the legacy resources site are migrated.
Certificate Authority
Current
What we work on now
(Q2 2025) 		Near-term
What we plan working on next
(Q3 2025 - Q4 2025) 		Future
What we investigate
Replace Hardware Security Module
Replace the Hardware Security Module used by the Intermediate CAs, due to end of life.
Integrate Sectigo CA
There is significant interest from CERN IT and the WLCG to integrate a publicly trusted CA for host and user certificates. This is currently on hold due to other priorities in the team.
WLCG IAM
Current
What we work on now
(Q2 2025) 		Near-term
What we plan working on next
(Q3 2025 - Q4 2025) 		Future
What we investigate
WLCG IAM Features
Enhance the INDIGO IAM software to meet the needs of CERN experiments.
AARC
Contribute to the European Commission funded project AARC Tree to ensure interoperability between WLCG, CERN and the wider community.
EOSC Integration
Enable Authentication and Authorisation for CERN's long term integration in the European Open Science Cloud.

Recent Highlights

Q1 2025

  • Release of new synchronisation for GMS
  • SSO
    • upgrade to Keycloak v 24
    • support for authentication to the European Open Science Cloud
    • integration of a more usable eduGAIN discovery service
  • Progress on service integration for the Eligiblity Project (Openstack, Engineering Tools, Google Workspace)
  • Improved database logic resulted in significant performance gains for SSO and the Authorization Service (affecting Eligibility, GMS, Accounts and more)

Q4 2024

  • Release of the new lifecycle model for Computing Resource Eligibility
  • Development of GMS mail settings complete
  • MIM and WLCG IAM Cold Recovery tests completed successfully
  • Creation of old-style lightweight accounts decommissioned in favour of inbuilt SSO users
  • .Net 8 Upgrade of all services

Contact

See the dedicated contact page with ways to reach us and to stay in touch.