The goal of the new CERN Authorization Service is to provide a centralized authentication and authorization
infrastructure.
The main components of the service are:
A Single Sign-On service, based on Keycloak, providing federated and social
authentication and supporting SAML and OIDC protocols. This service is replacing the previous Single Sign-On service
based on Microsoft ADFS.
A Users Portal, where users can manage their own accounts.
A Groups Portal, where users can define static and dynamic groups, including
external (non-CERN) members.
An Applications Portal, where application owners can register their
applications for Single Sign-On and configure the applications authorization schemes.
A Resources Portal, where users can visualize and manage their subscriptions
to IT services and list their resources.
An API that can be used to automate the users,
groups and applications management (for extensive documentation of these entities check here).
Roadmap (updated on April 2024)
The roadmaps show our team's current plans, by area of activity.
Please note that the times provided are rough estimates, and that priorities can change over time.
Single Sign On
Current
What we work on now
(Q2 2024)
Near-term
What we plan working on next
(Q3-Q4 2024)
Future
What we investigate
Upgrade to Keycloak 23
Upgrade Keycloak (the software behind SSO) to version 23, bringing various improvements and bug fixes.
Simplify two-factor authentication (2FA)
Remove a separate realm for 2FA, and simplify the login flow and internal 2FA mechanisms.
SSO service BC/DR
Prepare and test cold recovery, implement various Business Continuity (BC) measures, and prepare a
separate SSO instance for Disaster Recovery (DR).
Service Performance Qualification
Enhance and visualize relevant service metrics.
Improve two-factor authentication (2FA) usability
Allow more than one WebAuthn hardware token, and other usability improvements.
Groups Management System (GMS, a.k.a. "Grappa")
Current
What we work on now
(Q2 2024)
Near-term
What we plan working on next
(Q3-Q4 2024)
Future
What we investigate
Groups email properties
Provide email settings for groups, both in the API and in the Groups portal.
EGroups - GMS synchronization
Complete and improve the synchronization process between GMS and EGroups.
Gather feedback
Once most features are available, promote the portal and API usage to ensure stability and gather feedback
on development priorities.
LDAP and Mail synchronization
Replace the current synchronization mechanism to LDAP and mail services so that GMS is the source of truth
(which currently is EGroups).
Improve dynamic groups management and integrate with AIS roles
Improve the dynamic groups population mechanism and integrate with AIS roles, so that it is possible to
define a dynamic group with a roles-based criteria and populate a role with a GMS group.
Missing features
Implement any missing feature.
Migration
Ensure that EGroups clients can migrate to the new GMS.
EGroups decommissioning
Plan and execute the EGroups decommissioning in collaboration with FAP/BC.
Resources Management
Current
What we work on now
(Q2 2024)
Near-term
What we plan working on next
(Q3-Q4 2024)
Future
What we investigate
Self-service account activation
Allow newcomers with a registered external email address to activate their CERN account without contacting
the Service Desk.
Eligibility and Lifecycle: Openstack integration
Integrate Openstack in the new Resources portal, in compliance with the Eligibility framework.
Eligibility and Lifecycle: Google Workspaces integration
Integrate Google workspaces in the new Resources portal, in compliance with the Eligibility framework.
State-based resource management
Provide a status for resources to track their evolution through their lifecycle.
Project-owned resources
Allow assigning resources to projects instead of individual owners, to simplify resource tracking and
accounting.
Contact
See the dedicated contact page with ways to reach us and to stay in touch.