Cegal ../_images/Cegalnewlogo_dark.png



Cegal is building a suite of next generation software products and services that are not necessarily tied to Petrel. To support the new software platform Cegal has developed Keystone. Keystone provides secure access to applications and APIs for users for Cegal and its partners. Keystone is an evergreen web-based SaaS offering which handles licensing, subscription, and user application assignment for Cegal, its users, and customer tenant administrators.


Keystone is a multi-tenant SaaS offering, running in the cloud that supports single sign-on via an Azure Active Directory backing identity provider.

Identity management#

Identity management is fundamental to Keystone. Users login to Keystone using credentials from their own organization. Once logged in they will have single sign-on access to all applications to which they are entitled.

Keystone uses industry standard best practice for OAuth2 and OpenID Connect secure sign-in workflows to grant access to applications and APIs.

This system allows Cegal its partners to securely grant access to a variety of application types, on the desktop or web.


The Keystone portal is available at https://keystone.cegal-geo.com/

Tenant onboarding, provisioning, and invitations#

When a client requests access to a licensed application as either a purchase or evaluation and that software is protected by Keystone a pre-requisite is that the customer should have an Azure Active Directory. Azure Active Directory is the backing identity provider used by Keystone. The customer Azure tenant must then be provisioned inside of Keystone. This only needs to be done once.

Tenant provisioning is a simple matter of an initial invited customer tenant administrator completing a registration by clicking a link in a tenant onboarding email. Once that is done, the tenant administrator(s) for either the customer or a Cegal tenant administrator (if requested) can assign users to any subscriptions available for the tenant.

Subscriptions are tied to an application or API(s) based on a volume of named user licenses. These named users can be switched by the customer tenant administrator but the volume of named users are determined by the subscription itself. Subscriptions are tied to bundles relating to that application. The definition of a bundle provides flexible options to be able aggregate a set of role / feature flags behind a license.

Once a tenant has been onboarded, there will appear a logical application registration inside of the customer’s Azure tenant. This application registration is the customers local instance of the multi-tenant application created by Cegal for Keystone on behalf of customer tenants. This is the only application registration that is required. Individual application registrations will not be required.

Evaluation licenses#

In the case that a customer wants to begin an evaluation immediately, but their IT department cannot onboard the Keystone Azure application swiftly, Cegal can offer individual users licenses in a special Evaluation tenant. These can be managed by the Cegal support team if the customer wishes to change the users’ details during the evaluation period.

Tenant Admin#

Once onboarded to Keystone, a client’s tenant admin will be able to assign named users within the tenant and manage what applications they have access to across existing license agreements. Cegal can (if required and as previously mentioned) also assist with tenant administration operations on behalf of a customer. The Cegal support team are happy to assist!

../_images/keystone-subscription1.png ../_images/keystone-applications1.png ../_images/keystone-users1.png ../_images/keystone-manage-users1.png

Ease of use#

Keystone is built to be an extremely simple system to use whether that be for the end user, customer tenant administrators, Cegal support / product / sales staff, or developers.

The end user has a central landing page to download desktop applications, launch web-based applications, or see what Keystone licensed applications are available to them. Once logged in to Keystone, they have single sign on for all Keystone applications.

Customer tenant administrators have a simple interface to control which users within the customer organization have access to which Keystone applications. Tenant administrators will soon also have the option to monitor usage to those applications.

Cegal can reduce the time taken from giving a customer access to an application from what previously could have taken weeks to a matter of just minutes or seconds. Developers have a framework to easily distribute secure licensed applications whether that be for SaaS based offerings or desktop software.

Granting Keystone access to your Azure Profile#

When signing into Keystone for the first time, a user will be asked to grant consent for their Azure AD profile to be read. The only information that Keystone accesses is the users first name, last name, and email address. No personal information is retained for the user other than previously specified.


You may have to get your company Azure tenant admin to approve the Keystone app registration. For more information on this, please refer to:


Importantly you will only have to do this once and not for individual application licensed via Keystone.

Named User licensing Flexibility.#

Cegal recognizes that a web-based named user licensing system is different to concurrent file-based systems that legacy software has been based on for many years and many clients are familiar with.

However, we consider it fit for purpose for our new modern software portfolio moving forwards.

Clients are allowed, via their tenant admin accounts, to edit the list of named users associated to an application subscription to provide flexibility within the named user model.


Applications licensed by Keystone will notify users if an update to the software that they are using is available within the application e.g.


User or administrators can then easily visit the download portal to access the latest installer https://keystone.cegal-geo.com/downloads.





Keystone has been wholly developed by Cegal and all IP is the property of Cegal.

3rd Party Licensing#

If, as a client or a 3rd party vendor, you would like to use Keystone to license software or API’s please contact Cegal.

Legacy Petrel Plug-ins#

At this time, Keystone does not provide licensing of existing Petrel plug-ins that are currently licensed via Ocean. These products for the moment remain licensed via Ocean.


Keystone is regularly penetration tested by Netsecurity (https://www.netsecurity.no/)


Cegal is currently developing usage metrics. These will be available to the client, via Keystone in some capacity in the near future.