NWI-8: LIR's SSO Authentication Groups - Implementation Plan
Dear working group, here is the RIPE NCC's proposed implementation plan for NWI-8: LIR's SSO Authentication Groups. Scope - To simplify the implementation, synchronisation will be done using the existing SSO authentication method. - Authentication groups (and any new authentication method) will be deferred until later. Introduction - The synchronisation of non-billing users with the RIPE database will be done with a default maintainer. - Setting a default maintainer for the organisation is a pre-requisite for synchronisation. - A default maintainer is already able to maintain the organisation object and top-level resources. - Extending this existing mechanism simplifies the synchronisation of users. Implementation - A new checkbox will be added to the Account Details page in the LIR Portal, in the Maintainer section. - "Synchronise non-billing users with the default maintainer". - If no default maintainer is set, the checkbox is disabled. - The synchronise checkbox is not checked by default (the user must confirm this action first). - When the user enables the synchronise checkbox, they must first authenticate with the default maintainer. - The user must prove they control the maintainer before user accounts are added to it. - If the user's account is already present on the maintainer, this authentication is automatic. - Otherwise if the maintainer contains any password credentials, the user will be asked for a password. - Otherwise the user is asked to first add their credentials to the maintainer separately. - Once the checkbox is enabled, synchronisation is performed. - Any existing user accounts are removed from the maintainer. - Any non-billing user accounts are added to the maintainer. - Any other credentials (passwords or PGP keys) are not affected. - After synchronisation is enabled - Whenever a non-billing user is added or removed from the organisation, the default maintainer is updated accordingly. - A default maintainer can only be synchronised with a single organisation. - If a user is removed from one organisation, but remains in a different organisation, this would create a conflict when synchronising. - If synchronisation is disabled - Users are no longer synchronised with the default maintainer, but existing user accounts are not removed. - Notifications - To receive email notifications when the default maintainer is updated, use the notify: and/or mnt-nfy: attribute(s) on the maintainer itself. Regards Ed Shryane RIPE NCC
I think this is a good idea as it accomplish the original goal and does not make the DB depend on the LIR portal. - Cynthia On Fri, May 17, 2019, 10:33 Edward Shryane via db-wg <db-wg@ripe.net> wrote:
Dear working group,
here is the RIPE NCC's proposed implementation plan for NWI-8: LIR's SSO Authentication Groups.
Scope
- To simplify the implementation, synchronisation will be done using the existing SSO authentication method. - Authentication groups (and any new authentication method) will be deferred until later.
Introduction
- The synchronisation of non-billing users with the RIPE database will be done with a default maintainer. - Setting a default maintainer for the organisation is a pre-requisite for synchronisation. - A default maintainer is already able to maintain the organisation object and top-level resources. - Extending this existing mechanism simplifies the synchronisation of users.
Implementation
- A new checkbox will be added to the Account Details page in the LIR Portal, in the Maintainer section. - "Synchronise non-billing users with the default maintainer". - If no default maintainer is set, the checkbox is disabled. - The synchronise checkbox is not checked by default (the user must confirm this action first). - When the user enables the synchronise checkbox, they must first authenticate with the default maintainer. - The user must prove they control the maintainer before user accounts are added to it. - If the user's account is already present on the maintainer, this authentication is automatic. - Otherwise if the maintainer contains any password credentials, the user will be asked for a password. - Otherwise the user is asked to first add their credentials to the maintainer separately. - Once the checkbox is enabled, synchronisation is performed. - Any existing user accounts are removed from the maintainer. - Any non-billing user accounts are added to the maintainer. - Any other credentials (passwords or PGP keys) are not affected. - After synchronisation is enabled - Whenever a non-billing user is added or removed from the organisation, the default maintainer is updated accordingly. - A default maintainer can only be synchronised with a single organisation. - If a user is removed from one organisation, but remains in a different organisation, this would create a conflict when synchronising. - If synchronisation is disabled - Users are no longer synchronised with the default maintainer, but existing user accounts are not removed. - Notifications - To receive email notifications when the default maintainer is updated, use the notify: and/or mnt-nfy: attribute(s) on the maintainer itself.
Regards Ed Shryane RIPE NCC
* Edward Shryane via db-wg
here is the RIPE NCC's proposed implementation plan for NWI-8: LIR's SSO Authentication Groups.
Hi Ed. I was unfortunately unable to make it to Reykjavik, but I just watched the recording of your presentation and saw that you are awaiting feedback on this plan before proceeding. I didn't realise from the e-mail alone that you were soliciting feedback, so I didn't reply to it. I thought it was more a «JFYI, this is what we are going to do». In any case, your plan looks very reasonable and will solve my use case of having a database maintainer kept automatically in sync with the LIR Portal users. I am completely fine with punting the groups concept for later - this feature was not part of my original «magic mntner» proposal anyway. I am unlikely to make use of this feature when it does get implemented. It would seem that my concerns about the groups concept amounting to «feature creep» that would complicate the implementation of the core of the proposal was not entirely unfounded. Thumbs up from me. Tore
Hi Tore, Cynthia,
On 24 May 2019, at 09:20, Tore Anderson <tore@fud.no> wrote:
* Edward Shryane via db-wg
here is the RIPE NCC's proposed implementation plan for NWI-8: LIR's SSO Authentication Groups.
Hi Ed.
I was unfortunately unable to make it to Reykjavik, but I just watched the recording of your presentation and saw that you are awaiting feedback on this plan before proceeding. I didn't realise from the e-mail alone that you were soliciting feedback, so I didn't reply to it. I thought it was more a «JFYI, this is what we are going to do».
In any case, your plan looks very reasonable and will solve my use case of having a database maintainer kept automatically in sync with the LIR Portal users.
I am completely fine with punting the groups concept for later - this feature was not part of my original «magic mntner» proposal anyway. I am unlikely to make use of this feature when it does get implemented. It would seem that my concerns about the groups concept amounting to «feature creep» that would complicate the implementation of the core of the proposal was not entirely unfounded.
Thumbs up from me.
Tore
Thanks for your feedback, we'll wait for the co-chairs to declare a consensus before proceeding (in case there are other comments). Regards Ed
participants (3)
-
Cynthia Revström
-
Edward Shryane
-
Tore Anderson