Dear working group,
here is the RIPE NCC's proposed implementation plan for NWI-8: LIR's SSO
Authentication Groups.
Scope
- To simplify the implementation, synchronisation will be done using the
existing SSO authentication method.
- Authentication groups (and any new authentication method) will be deferred
until later.
Introduction
- The synchronisation of non-billing users with the RIPE database will be done
with a default maintainer.
- Setting a default maintainer for the organisation is a pre-requisite for
synchronisation.
- A default maintainer is already able to maintain the organisation object and
top-level resources.
- Extending this existing mechanism simplifies the synchronisation of users.
Implementation
- A new checkbox will be added to the Account Details page in the LIR Portal,
in the Maintainer section.
- "Synchronise non-billing users with the default maintainer".
- If no default maintainer is set, the checkbox is disabled.
- The synchronise checkbox is not checked by default (the user must confirm
this action first).
- When the user enables the synchronise checkbox, they must first authenticate
with the default maintainer.
- The user must prove they control the maintainer before user accounts
are added to it.
- If the user's account is already present on the maintainer, this
authentication is automatic.
- Otherwise if the maintainer contains any password credentials, the
user will be asked for a password.
- Otherwise the user is asked to first add their credentials to the
maintainer separately.
- Once the checkbox is enabled, synchronisation is performed.
- Any existing user accounts are removed from the maintainer.
- Any non-billing user accounts are added to the maintainer.
- Any other credentials (passwords or PGP keys) are not affected.
- After synchronisation is enabled
- Whenever a non-billing user is added or removed from the
organisation, the default maintainer is updated accordingly.
- A default maintainer can only be synchronised with a single organisation.
- If a user is removed from one organisation, but remains in a
different organisation, this would create a conflict when synchronising.
- If synchronisation is disabled
- Users are no longer synchronised with the default maintainer, but
existing user accounts are not removed.
- Notifications
- To receive email notifications when the default maintainer is
updated, use the notify: and/or mnt-nfy: attribute(s) on the maintainer itself.
Regards
Ed Shryane
RIPE NCC
