CERN Authentication and Authorization Services

The goal of the new CERN Authentication and Authorization Services are to provide a centralized authentication and authorization infrastructure.

The main components of the services are:

• A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols. This service is replacing the previous Single Sign-On service based on Microsoft ADFS.
• A Users Portal, where users can manage their own accounts.
• A Groups Portal, where users can define static and dynamic groups, including external (non-CERN) members.
• An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications authorization schemes.
• A Resources Portal, where users can visualize and manage their subscriptions to IT services and list their resources.
• An API that can be used to automate the users, groups and applications management (for extensive documentation of these entities check here).

Recent Highlights (Q3 2024)

• Authorization Service Release 4.3.0, which included improvements related to Resources and Groups
• SSO Cold Recovery Tests completed successfully
• WLCG IAM Services upgraded and moved to High Availability Kubernetes Infrastructure
• Service Performance Qualification metrics published for SSO and Account Management services

Roadmap (updated for Q4 2024)

The roadmaps show our team's current plans, by area of activity.

We plan our activities quarterly. Any request for features not currently in our plans will be considered at the next quarterly planning.

Some of the activities headers provide links to the corresponding epic task in our Jira project, if you want to follow the team's progress more closely.

Please note that the times provided are rough estimates, and that priorities can change over time.

Single Sign On
Current What we work on now (Q4 2024)	Near-term What we plan working on next (Q1 2025 - Q3 2025)	Future What we investigate
Upgrade to Keycloak 24 Upgrade Keycloak (the software behind SSO) to version 24, bringing various improvements and bug fixes. Update the EduGAIN authentication infrastructure Retire the CC7-based part of the EduGAIN infrastructure and move from puppet to Openshift. Retire lightweight creation Retire the legacy way to authenticate non-CERN users. Provide a transparent alternative to users.	Simplify two-factor authentication (2FA) Remove a separate realm for 2FA, and simplify the login flow and internal 2FA mechanisms.	Improve two-factor authentication (2FA) usability Allow more than one WebAuthn hardware token, and other usability improvements.
Groups Management System (GMS)
Current What we work on now (Q4 2024)	Near-term What we plan working on next (Q1 2025 - Q3 2025)	Future What we investigate
EGroups - GMS synchronization Complete and improve the synchronization process between GMS and EGroups. Groups email properties Provide email settings for groups, both in the API and in the Groups portal. Improve dynamic groups management and integrate with AIS roles Improve the dynamic groups population mechanism and integrate with AIS roles, so that it is possible to define a dynamic group with a roles-based criteria and populate a role with a GMS group. Gather feedback Once most features are available, promote the portal and API usage to ensure stability and gather feedback on development priorities.	Direct synchronization to Active Directory and Mail Service Replace the current synchronization mechanism to LDAP and mail services so that GMS is the source of truth (which currently is EGroups). Missing features Implement any missing feature.	Migration Ensure that EGroups clients can migrate to the new GMS. EGroups decommissioning Plan and execute the EGroups decommissioning in collaboration with FAP/BC.
Resources Management
Current What we work on now (Q4 2024)	Near-term What we plan working on next (Q1 2025 - Q3 2025)	Future What we investigate
Self-service account activation Allow newcomers with a registered external email address to activate their CERN account without contacting the Service Desk. Eligibility and Lifecycle: Openstack integration Integrate Openstack in the new Resources portal, in compliance with the Eligibility framework. Improve Disaster Recovery Improve the disaster recovery procedures for authorization services (not including SSO). Initial cold recovery tests planned for Resource synchronisation servers.	Password policy update Update the password policies to tighten security. Eligibility and Lifecycle: Resource Groups (Tenants) Group resources together to improve resources categorization and cost tracking. Eligibility and Lifecycle: Google Workspaces integration Integrate Google workspaces in the new Resources portal, in compliance with the Eligibility framework.	Decommission lightweight accounts Remove all dependency on legacy lightweight accounts (e.g. by Mail and AD) and provide alternatives. Eligibility and Lifecycle: migrate all resources Ensure that all resources and services using the legacy resources site are migrated.
Certificate Authority
Current What we work on now (Q4 2024)	Near-term What we plan working on next (Q1 2025 - Q3 2025)	Future What we investigate
Replace Hardware Security Module Replace the Hardware Security Module used by the Intermediate CAs, due to end of life.		Integrate Sectigo CA There is significant interest from CERN IT and the WLCG to integrated a publicly trusted CA for host and user certificates. This is currently on hold due to other priorities in the team.

Contact

See the dedicated contact page with ways to reach us and to stay in touch.