A new feature that makes credentials in the RIPE Database consistent with the LIR Portal. This removes the need for manually updating the same information in two places. It also reduces the risk of having unathorised access to the wrong parties.
When the object editors in the LIR Portal were phased out three years ago, they were replaced with a default maintainer, so that users could make updates to their organisation and resources directly in the RIPE Database.
However, using the default maintainer has some drawbacks. There is no way to keep users in the LIR Portal synchronised with the RIPE Database, so users must be manually updated in two places. This leads to duplication of effort, and can increase the risk of unauthorised access, if users are not always updated in both places.
Following discussion in the Database Working group earlier this year (refer to NWI-8: "LIR´s SSO Authentication Groups"), we will shortly introduce a new feature in the LIR Portal, to automatically synchronise regular and admin users to the default maintainer. Once added to the default maintainer, LIR Portal users will be able to make changes to the organisation object and IP resource allocations in the RIPE database directly.
The new feature will appear as a checkbox on the "Account Overview" page on the LIR Portal
How Synchronisation Works
Currently, any MNTNER in the RIPE Database can be chosen as the default maintainer for the organisation (a warning appears if your SSO account is not associated with that MNTNER). Synchronisation will require that you authenticate with the MNTNER first (i.e. your SSO account must be listed in the MNTNER auth attribute(s)).
When synchronisation is turned on (it’s off by default), all SSO "auth:" attributes in the default maintainer are replaced with the SSO accounts of all regular and admin users in the organisation’s LIR Portal account. Other "auth:" attribute types (MD5-PW, PGPKEY, X509) in the MNTNER are not affected.
Once synchronisation is turned on, any changes to the User Details in the LIR Portal are automatically updated in the Default Maintainer.
While synchronisation is turned on, the SSO "auth:" attributes in the MNTNER cannot be updated manually in the RIPE Database, but only though the LIR Portal. Other "auth:" attribute types can still be added or removed. Also, a maintainer can only be synchronised with a single organisation’s users at a time.
If you wish to be notified by email whenever user accounts are synchronised to the default maintainer, you can add a “notify:” attribute to the MNTNER object.
If synchronisation is turned off, any existing SSO "auth:" attributes are not removed, but the default maintainer is no longer updated with the equivalent users in the LIR Portal account.
This new feature is the minimum viable implementation to allow synchronising LIR Portal users to the RIPE Database. The Database Working Group have also requested SSO authentication groups, which would allow separating SSO credentials from the LIR Portal in the MNTNER. We plan to work on this in the next implementation phase. We hope that once synchronisation is deployed, users may suggest further improvements.
Please leave a comment with any feedback, or suggestions for improvement, below. You can also participate in the discussion on the Database Working Group mailing list.