Skip to content

CERN Authorization Service

The goal of the new CERN Authorization Service is to provide a centralized authentication and authorization infrastructure.


Updated on 13/04/22

What we work on now
(H1 2022)
What we plan working on next
(H2 2022)
What we investigate
"Always on" multifactor authentication
Always on MFA tasks list
Simplify the multifactor login flow, to make it compliant with industry standards.
Lifecycle management
Provide a fully functional lifecycle for the resources managed by the new service (applications and Grappa groups).
Periodically notify owners of resources that were reassigned automatically and need an action on their part.
Service continuity
Service continuity and disaster recovery plans.
SSO migration
Complete the migration to the new SSO service (by end of 2022).
Provide support to application owners that need to migrate.
Decommission the old SSO by the beginning of 2023.
Enhance the Groups API to deliver all required features, for both authorization groups and for mailing lists.
Account Management
Migrate the account management from the old system to the new, including Service Desk tools.
Resources Lifecycle Migration
Manage CERN Computing Resources (e.g. mailboxes, db accounts, websites) using the new system. This requires migration for each resource type.
Egroups migration
Migrate existing groups from e-groups to the Authorization Service API. Provide support for users of e-groups API to transition to the new service.
Decommission old infrastructure
Decommission the old account management service and resources portals.


The main components of the service are:

  • A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols. This service will replace the current Single Sign-On service based on Microsoft ADFS.
  • Kerberos and LDAP services, based on FreeIPA.Quest'ErmoColle

These services will replace the current Microsoft Active Directory infrastructure. - A Users Portal, where users can manage their own accounts. - A Groups Portal, where users can define static and dynamic groups, including external (non-CERN) members. This portal will replace the current E-Groups service. - An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications authorization schemes. - An API that can be used to automate the users, groups and applications management (for extensive documentation of these entities check here).


A Mattermost Channel has been set up for help with the pilot infrastructure.

If you want to receive a notification for upcoming interventions related to the service, you can subscribe to the group single-sign-on-and-account-management-services-ssb.

For other questions, please contact the Authorization Service Administrators.