• Security & Identity
• Authentication
  • About AAI
  • Participants
  • Join AAI
    • SWITCH Community
    • Federation Partners
    • Virtual Home Organization
    • IdP Hosting
  • Support & Downloads
  • Demo
  • Contact
• Computer Emergencies
• Certificates
• Spam protection

Virtual Home Organization (VHO)

The Virtual Home Organization allows SWITCHaai resource administrators to create AAI accounts for users who need to access an AAI-protected resource but do not belong to a Home Organization in SWITCHaai.

Purpose

In some cases there exist users that don't have an AAI account but nevertheless need to access an AAI-protected resource. Some real world examples of this scenario are:

• attendees of a further education or other training
• a collaboration project with members from private companies or foreign universities, which are not in the federation

Because these users are not member of any home organization in the federation, the resource owner would have to manage these accounts locally. The drawbacks of creating local accounts are:

• inefficient creation of accounts, possibly for more than one resources
• additional complexity due to aditional authentication mechanism

From a resource administrator's point of view, it would be preferable to handle all users the same way, which implies that all users have an AAI account.

Two simple solutions for this issue are provided by the Virtual Home Organization (VHO) and the Guest Login. The VHO is a special Identity Provider operated by SWITCH within the SWITCHaai federation.

The VHO allows operators of an AAI service to create and manage AAI accounts which can be used to access AAI services. Whereas Guest Login accounts are not by default part of the SWITCHaai federation and are managed by users themselves via self-registration, VHO accounts are like normal AAI accounts and they can only be managed by VHO administrators.

VHO user accounts are structured into groups and optionally subgroups:

Subgrups are like normal groups but the administrators of the parent groups can also administrate subgroups.

More information on how to use the VHO service

Test the VHO Service

Prospective VHO administrator can test the VHO administration tool and its features. Just click on this link https://tools.test.vho-switchaai.ch/ and login as demo administrator with the following credentials:

• username: switch-demoadmin
• password: demoadmin

You will be VHO administrator from three different VHO groups with 99 VHO end users each.

Create an own VHO Group

To create an own VHO group or a subgroup below an existing group, please contact us to receive the service subscription form and for further details.

VHO Policy

The VHO policy defines the rules for resource owners and SWITCH.

AAI VHO Policy [PDF, 11 pages, 141 kByte]

VHO specific Attributes

VHO users can by clearly distinguished from regular AAI users by their attributes. VHO users have set the following attributes:

  swissEduPersonHomeOrganization     = vho-switchaai.ch
  swissEduPersonHomeOrganizationType = vho
  eduPersonAffiliation               = affiliate

Restricted Access for VHO Users

In order to exclude all VHO end users to access certain content, use the above attributes to create access control rules which limit access for VHO users. Please consult the Shibboleth Access Control rule information for examples.

Maintenance

Unannounced VHO maintenance works may be performed on Wednesdays between 7:00 and 8:00. During that time short service interruptions of 1-2 minutes at maximum may occour. In case of security emergencies or other serious problems, restarts may occour at other times as well. Planned service disruptions which take more than 10 minutes will be announced to all VHO group helpdesk email addresses beforehand.