CERN's Identity and Access Management A journey to Open Source

Until recently, CERN had been considered eligible for academic pricing of Microsoft products. Now, along with many other research institutes, CERN has been disqualified from this educational programme and faces a 20 fold increase in license costs. CERN's current Authentication and Authorization Infrastructure, dating from 2008, comprises multiple Microsoft services from the web Single-Sign-On to the Accounts Database. Replacing these core components is an opportunity to rebuild the CERN infrastructure using the latest technologies and concepts and to respond to evolving requirements of the community. It is also the appropriate moment to consider the alignment of CERN's and the Worldwide LHC Computing Grid's approaches to identity management, to create a more consistent environment for operators, developers and users. 2019 saw the launch of an Alpha version of CERN's next generation Authentication and Authorization Infrastructure, focusing on free and open source products and responding to the limitations experienced by the current system. We describe the new solution and focus on key changes.