Skip to content

CERN Authorization Service

The goal of the new CERN Authorization Service is to provide a centralized authentication and authorization infrastructure.


Updated on 31/08/23

What we work on now
(H2 2023)
What we plan working on next
(H1 2024)
What we investigate
"Always on" two factor authentication
Simplify the two factor login flow, to make it compliant with industry standards.
Service continuity
Service continuity and disaster recovery plans. This includes migrating the SSO hosting from puppet to Kubernetes.
SSO migration
Complete the migration to the new SSO service. Please see OTG0072195 for the most recent information.
Account Management Modernisation
Migrate the account management from the old system to the new, including Service Desk tools. Decommission the old account management service and resources portals.
Eligibility Project Implementation
Enable accounts management to support CERN's new eligibility model. This includes enhancing the resource management portals to meet project requirements.
Egroups Replacement
Enhance the Groups API to deliver all required features, for both authorization groups and for mailing lists. Migrate existing groups from e-groups to the Authorization Service API (Grappa). Provide support for users of e-groups API to transition to the new service.
Resources Lifecycle Migration
Manage CERN Computing Resources (e.g. mailboxes, db accounts, websites) using the new system. This requires migration for each resource type.

Overview of our services

The main components of the service are:

  • A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols. This service is replacing the previous Single Sign-On service based on Microsoft ADFS.
  • A Users Portal, where users can manage their own accounts.
  • A Groups Portal, where users can define static and dynamic groups, including external (non-CERN) members.
  • An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications authorization schemes.
  • An API that can be used to automate the users, groups and applications management (for extensive documentation of these entities check here).


See the dedicated contact page with ways to reach us and to stay in touch.