I think this is a good idea as it accomplish the original goal and does not make the DB depend on the LIR portal.

- Cynthia

On Fri, May 17, 2019, 10:33 Edward Shryane via db-wg <db-wg@ripe.net> wrote:
Dear working group,

here is the RIPE NCC's proposed implementation plan for NWI-8: LIR's SSO Authentication Groups.

Scope

- To simplify the implementation, synchronisation will be done using the existing SSO authentication method.
- Authentication groups (and any new authentication method) will be deferred until later.

Introduction

- The synchronisation of non-billing users with the RIPE database will be done with a default maintainer. 
- Setting a default maintainer for the organisation is a pre-requisite for synchronisation.
- A default maintainer is already able to maintain the organisation object and top-level resources.
- Extending this existing mechanism simplifies the synchronisation of users.

Implementation

- A new checkbox will be added to the Account Details page in the LIR Portal, in the Maintainer section.
        - "Synchronise non-billing users with the default maintainer".
- If no default maintainer is set, the checkbox is disabled.
- The synchronise checkbox is not checked by default (the user must confirm this action first).
- When the user enables the synchronise checkbox, they must first authenticate with the default maintainer.
        - The user must prove they control the maintainer before user accounts are added to it.
        - If the user's account is already present on the maintainer, this authentication is automatic.
        - Otherwise if the maintainer contains any password credentials, the user will be asked for a password.
        - Otherwise the user is asked to first add their credentials to the maintainer separately.
- Once the checkbox is enabled, synchronisation is performed.
        - Any existing user accounts are removed from the maintainer.
        - Any non-billing user accounts are added to the maintainer.
        - Any other credentials (passwords or PGP keys) are not affected.
- After synchronisation is enabled
        - Whenever a non-billing user is added or removed from the organisation, the default maintainer is updated accordingly.
- A default maintainer can only be synchronised with a single organisation.
        - If a user is removed from one organisation, but remains in a different organisation, this would create a conflict when synchronising.
- If synchronisation is disabled
        - Users are no longer synchronised with the default maintainer, but existing user accounts are not removed.
- Notifications
        - To receive email notifications when the default maintainer is updated, use the notify: and/or mnt-nfy: attribute(s) on the maintainer itself.


Regards
Ed Shryane
RIPE NCC