Skip to content

CERN Authorization Service

The goal of the new CERN Authorization Service is to provide a centralized authentication and authorization infrastructure.


Updated on 07/11/22

What we work on now
(H2 2022)
What we plan working on next
(H1 2023)
What we investigate
"Always on" multifactor authentication
Always on MFA tasks list
Simplify the multifactor login flow, to make it compliant with industry standards.
Service continuity
Service continuity and disaster recovery plans.
SSO migration
Complete the migration to the new SSO service (by summer 2023).
Provide support to application owners that need to migrate.
Resources Lifecycle Migration
Manage CERN Computing Resources (e.g. mailboxes, db accounts, websites) using the new system. This requires migration for each resource type.
Account Management
Enable accounts managment to support CERN's new eligibility model
Migrate the account management from the old system to the new, including Service Desk tools.
Enhance the Groups API to deliver all required features, for both authorization groups and for mailing lists.
Egroups migration
Migrate existing groups from e-groups to the Authorization Service API. Provide support for users of e-groups API to transition to the new service.
Decommission old infrastructure
Decommission the old account management service and resources portals.


The main components of the service are:

  • A Single Sign-On service, based on Keycloak, providing federated and social authentication and supporting SAML and OIDC protocols. This service will replace the current Single Sign-On service based on Microsoft ADFS.
  • A Users Portal, where users can manage their own accounts.
  • A Groups Portal, where users can define static and dynamic groups, including external (non-CERN) members.
  • An Applications Portal, where application owners can register their applications for Single Sign-On and configure the applications authorization schemes.
  • An API that can be used to automate the users, groups and applications management (for extensive documentation of these entities check here).


A Mattermost Channel has been set up for help with the infrastructure.

If you want to receive a notification for upcoming interventions related to the service, you can subscribe to the group single-sign-on-and-account-management-services-ssb.

For other questions, please open a support ticket.