Dear working group,
here is the RIPE NCC's proposed implementation plan for NWI-8: LIR's SSO Authentication Groups.
Scope
- To simplify the implementation, synchronisation will be done using the existing SSO authentication method.
- Authentication groups (and any new authentication method) will be deferred until later.
Introduction
- The synchronisation of non-billing users with the RIPE database will be done with a default maintainer.
- Setting a default maintainer for the organisation is a pre-requisite for synchronisation.
- A default maintainer is already able to maintain the organisation object and top-level resources.
- Extending this existing mechanism simplifies the synchronisation of users.
Implementation
- A new checkbox will be added to the Account Details page in the LIR Portal, in the Maintainer section.
- "Synchronise non-billing users with the default maintainer".
- If no default maintainer is set, the checkbox is disabled.
- The synchronise checkbox is not checked by default (the user must confirm this action first).
- When the user enables the synchronise checkbox, they must first authenticate with the default maintainer.
- The user must prove they control the maintainer before user accounts are added to it.
- If the user's account is already present on the maintainer, this authentication is automatic.
- Otherwise if the maintainer contains any password credentials, the user will be asked for a password.
- Otherwise the user is asked to first add their credentials to the maintainer separately.
- Once the checkbox is enabled, synchronisation is performed.
- Any existing user accounts are removed from the maintainer.
- Any non-billing user accounts are added to the maintainer.
- Any other credentials (passwords or PGP keys) are not affected.
- After synchronisation is enabled
- Whenever a non-billing user is added or removed from the organisation, the default maintainer is updated accordingly.
- A default maintainer can only be synchronised with a single organisation.
- If a user is removed from one organisation, but remains in a different organisation, this would create a conflict when synchronising.
- If synchronisation is disabled
- Users are no longer synchronised with the default maintainer, but existing user accounts are not removed.
- Notifications
- To receive email notifications when the default maintainer is updated, use the notify: and/or mnt-nfy: attribute(s) on the maintainer itself.
Regards
Ed Shryane
RIPE NCC