Dear Anders,

Thank you for your comments about SSO. I will answer each in turn.

a) You are correct about the appendix. We updated section '2.8.1 Authorisation Model' which has the same table as in the Appendix. We will update the Appendix in the next release. In future documentation we will avoid having identical information duplicated in multiple parts of the same document.

b) For security reasons we consider the SSO username in the same way as an MD5 password hash. So this is only available in an authenticated way. As we don't yet have authenticated queries it can only be handled by Webupdates.

c) Currently there is no “neat” way of authenticating against the RIPE Database RESTful API using your Access SSO account.

This kind of authentication actually spans all of the RIPE NCC services that use SSO and provide a REST API. These include the LIR Portal services like the IP Analyser, but also RIPEstat and RIPE Atlas. We could solve this in several ways, for example by providing each RIPE NCC Access account with a unique API access token (thereby tying the authentication to an individual), or by allowing you to set up a "service account", such as OAuth2, that authorises your application to access a certain RIPE NCC API.

We’d be quite interested to hear about your use cases, in order to make sure we choose the right implementation.

Regards
Denis Walker
Business Analyst
RIPE NCC Database Team

On 04/04/2014 15:48, Anders Mundt Due wrote:

On 26 Mar, Johan Åhlén wrote:

Dear Piotr,

Thanks for pointing out the version mismatches, we’ll update the
manuals ASAP.

As mentioned earlier we’re currently in the process of improving the
documentation. We’re doing this in two phases, first we'll improve our

Three quick question regarding SSO..

a) I don't see 'SSO' mentioned in the appendix on page 46/47 of the pdf
version, shouldn't it be there ?

b) if I've added 'sso' auth to a mntner object, can I then only get the
unfiltered version by going through the webupdater ?

c) is there some "neat" way of sending authentication information to
the API and will it use it and in that way let me reach protected
elements ?  (such as, the auth sso..) (will simple http auth do this?)

/Anders