CERN Authorization Service
The goal of the new CERN Authorization Service is to provide a centralized authentication and authorization infrastructure.
Roadmap
Updated on 13/04/22
Current What we work on now (H1 2022) |
Near-term What we plan working on next (H2 2022) |
Future What we investigate |
|||||||||||||||||||
|
|
|
Overview
The main components of the service are:
- A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols. This service will replace the current Single Sign-On service based on Microsoft ADFS.
- Kerberos and LDAP services, based on FreeIPA.Quest'ErmoColle
These services will replace the current Microsoft Active Directory infrastructure. - A Users Portal, where users can manage their own accounts. - A Groups Portal, where users can define static and dynamic groups, including external (non-CERN) members. This portal will replace the current E-Groups service. - An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications authorization schemes. - An API that can be used to automate the users, groups and applications management (for extensive documentation of these entities check here).
Contact
A Mattermost Channel has been set up for help with the pilot infrastructure.
If you want to receive a notification for upcoming interventions related to the service, you can subscribe to the group single-sign-on-and-account-management-services-ssb.
For other questions, please contact the Authorization Service Administrators.