CERN Authorization Service

The goal of the new CERN Authorization Service is to provide a centralized authentication and authorization infrastructure.

The main components of the service are:

  • A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols. This service will replace the current Single Sign-On service based on Microsoft ADFS.
  • Kerberos and LDAP services, based on FreeIPA. These services will replace the current Microsoft Active Directory infrastructure.
  • A Users Portal, where users can manage their own accounts.
  • A Groups Portal, where users can define static and dynamic groups, including external (non-CERN) members. This portal will replace the current E-Groups service.
  • An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications authorization schemes.
  • An API that can be used to automate the users, groups and applications management.


A Mattermost Channel has been set up for help with the Alpha Infrastructure.

For other questions, please contact Paolo Tedesco.