CERN Authorization Service
The goal of the new CERN Authorization Service is to provide a centralized authentication and authorization infrastructure.
The main components of the service are:
- A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols. This service will replace the current Single Sign-On service based on Microsoft ADFS.
- Kerberos and LDAP services, based on FreeIPA. These services will replace the current Microsoft Active Directory infrastructure.
- A Users Portal, where users can manage their own accounts.
- A Groups Portal, where users can define static and dynamic groups, including external (non-CERN) members. This portal will replace the current E-Groups service.
- An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications authorization schemes.
- An API that can be used to automate the users, groups and applications management.
Status and Roadmap
| Feature | Status | |
|---|---|---|
| Single Sign-On | CERN users | Complete |
| EduGain users | Complete | |
| Social logins |
Supported: Linkeding, Github, Google, Facebook. Additional providers might be added in future releases. |
|
| Lightweight accounts | Complete | |
| Groups management API | Groups management (users portal) | Complete |
| Dynamic groups (users portal) |
Most dynamic criteria supported. Missing criteria might be deprecated in E-Groups. |
|
| Programmatic access to the API | Under development. | |
| Accounts management | Multi-factor authentication | Complete, Service Desk tools available |
| Multiple accounts mapping | Missing features: Service Desk tools, accounts un-linking, identity deletion. | |
| Accounts management API | Accounts are still managed by the legacy service ("FIM"). | |
| Computing resources lifecycle | Lifecycle management features | Complete, the API can already be used for resources lifecycle management. |
| Resources migration | Resource lifecycles are still managed by the legacy service ("FIM"). | |
Contact
A Mattermost Channel has been set up for help with the pilot infrastructure.
For other questions, please contact the Authorization Service Administrators.