You are here: Home > Publications > RIPE Labs > Denis Walker > RIPE Database Joins Single Sign-On Club

RIPE Database Joins Single Sign-On Club

Denis Walker — Mar 06, 2014 04:30 AM
With RIPE NCC Access, our single sign-on service - you log in once and can access many RIPE NCC services. Now, with the new RIPE Database release, you can update your data in the RIPE Database using this single sign-on service. This is part of the RIPE NCC's work to make the RIPE Database easier to use.


The RIPE Database has always been a stand-alone service provided by the RIPE NCC. This means that no matter what other service you are using, when it comes to updating database objects you have to provide another authorisation. Not any more. The RIPE Database has been integrated into RIPE NCC Access - the Single Sign-On (SSO) service. Once you configure your mntner objects for SSO, most of your data can be updated with SSO. There are some exceptions where multiple authorisations are required. But we can address these either with the use of the right maintainer attributes or by adding more functionality, such as the Simple Route Creation (but with some improvements to the way that works as well).

Configuring your MNTNER objects

We have introduced a new authorisation credential type - SSO. It looks like this:

auth:   SSO user _at_ here _dot_ com

where the email address is the username for your RIPE NCC Access account. SSO can be used in a mntner object with any mix of other credentials, passwords and PGP. It can also be used as the only credential. Multiple SSO credentials can be added to a mntner so a group of people can still use their own SSO login to update any object with that mntner.

Simply follow these steps:

  • Create a RIPE NCC Access account if you do not already have one
  • Add "auth: SSO email@address" to your mntner object(s)
    • use any standard update method
    • provide existing authorisation
    • add to as many mntner objects as you like

Congratulations. You are now configured to use SSO to update the RIPE Database.

How to update the RIPE Database using SSO

After you have configured your mntner object(s), log in to RIPE NCC Access. Currently, only Webupdates and Syncupdates are set up for use with SSO. Your RIPE NCC Access login details are now shown on these pages. So you can easily see when you are logged in and with what account, and you can also log in from here.

Enter your (updated) object(s) and submit. You do not need to enter any passwords - you are already authenticated to make these updates, assuming the object(s) are maintained by one of your SSO mntner objects.

Multiple Authorisation

Where multiple authorisations are required, the data can be set up to use the same mntner. This can be achieved by use of various maintainer attributes, mnt-lower, mnt-routes, mnt-domains, mnt-ref. If that is not an option, for route object creation the Simple Route Creation can be used. Your part of the authorisation can be provided with your SSO. When the other party needs to provide their authorisation, they can also use SSO. This process can be extended to cover other object creations.

Other RIPE Database uses of SSO

Part of the requirements for the certification of PI resources will be to add SSO authorisation to the mntner of the resource object.

1 Comment

User Image
Nick Hilliard says:
Apr 14, 2014 06:30 PM
This is good news. Anyone considering using this feature should also make sure that their MTA supports STARTTLS so that there is end-to-end encryption.
Add comment

You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.