Skip to content

CERN Authorization Service

The goal of the new CERN Authorization Service is to provide a centralized authentication and authorization infrastructure.

The main components of the service are:

  • A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols. This service will replace the current Single Sign-On service based on Microsoft ADFS.
  • Kerberos and LDAP services, based on FreeIPA. These services will replace the current Microsoft Active Directory infrastructure.
  • A Users Portal, where users can manage their own accounts.
  • A Groups Portal, where users can define static and dynamic groups, including external (non-CERN) members. This portal will replace the current E-Groups service.
  • An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications authorization schemes.
  • An API that can be used to automate the users, groups and applications management.

Status and Roadmap

Feature Status
Single Sign-On CERN users Complete
EduGain users Complete
Social logins Supported: Linkeding, Github, Google, Facebook.
Additional providers might be added in future releases.
Lightweight accounts Complete
Groups management API Groups management (users portal) Complete
Dynamic groups (users portal) Most dynamic criteria supported.
Missing criteria might be deprecated in E-Groups.
Programmatic access to the API Under development.
Accounts management Multi-factor authentication Complete, Service Desk tools available
Multiple accounts mapping Missing features: Service Desk tools, accounts un-linking, identity deletion.
Accounts management API Accounts are still managed by the legacy service ("FIM").
Computing resources lifecycle Lifecycle management features Complete, the API can already be used for resources lifecycle management.
Resources migration Resource lifecycles are still managed by the legacy service ("FIM").


A Mattermost Channel has been set up for help with the pilot infrastructure.

For other questions, please contact the Authorization Service Administrators.