| Topic | Guest Login | Virtual Home Organization (VHO) |
| Policy and regulations for managing accounts |
No | Yes |
| Papers to sign | No | Yes |
| Accounts can be used for more than one service |
Yes | Generally no |
| Responsibility of account management |
User himself | VHO Group administrator(s) |
| In SWITCHaai and AAI Test federation |
No | Yes |
| Data quality of user information |
Poor, user can modify his own data | Controllable by VHO administrator(s) |
Guest Login for AAI Services
This page explains the purpose and use of the Guest Login feature for AAI service operators.
Background
Some AAI services need to grant access to users who don't have an AAI account. For that, service operators could use the Virtual Home Organization (VHO) to create AAI accounts for these users. However, creating and managing a VHO group requires time and know-how. Therefore, it may not always be the best option. The Guest Login service is an alternative for services that do not require verified user data but only need a login service.
The Guest Login Identity Provider is a dedicated Identity Provider that is not part of the SWITCHaai Federation nor the AAI Test Federation. If a service operator wants to make use of the Guest Login, it has to be manually configured. It will allow arbitrary users to create and use their Guest Login account in order to access that service.
Audience
The Guest Login service can only be used by Service Providers registered in the SWITCHaai Federation or the AAI Test Federation. In addition the Service Provider have to specifically enable Guest Login by following the instructions below.
How it works
The Guest Login offers users without an AAI account to create a Guest Login account via self-registration. The user provides name, email address and optional data like postal address and phone numbers. The email address gets then verified by sending an email to that address with a confirmation link. Once confirmed, the user can use the Guest Login account to access the services mentioned above in the audience section.
Technically, the account can be used like a regular AAI account. However, it is formally not an AAI account since the Guest Login Identity Provider is neither part of the SWITCHaai federation nor the AAI Test federation. The same Guest Login account can be used to access multiple services that accept Guest Login users. Therefore, there is no need to create individual Guest Login accounts per service. On the other hand, the same user may decide to create multiple Guest Login accounts, provided he has more than one valid email address.
Comparing Guest Login with the Virtual Home Organization (VHO)
The Virtual Home Organization (VHO) operated by SWITCH for the SWITCHaai federation has a similar purpose like the Guest Login. However, there are some differences that are outlined below.
VHO vs Guest Login
Account Creation
Every Internet user with a valid email address can create a Guest Login account. Only one account per email address can be created. Only the email address of a user is verified during account creation.
User Terms of Use
Becore creating a Guest Login account and before using it the first time to access a service, Guest Login users first have to agree to the Guest Login Terms of Use.
Quality of Identity Data
Since Guest Login accounts can be created via self-registration with self-provided information, nobody should rely on the quality of the Guest Login user data. Only the email address of a user is verified during account creation. The email address is confirmed with a challenge-response procedure. All further personal attributes can be set and changed by the Guest Login user himself according to the Guest Login Attribute Profile specified below.
Therefore, it is recommended to ensure that access for Guest Login users to certain content or functions in an application is limited. Please consult the Guest Login Configuration guide (bottom of the page) or have a look at the Shibboleth access control features for further information and hints on this topic.
Attributes Always Available
Every Guest Login account has at minimum the following attributes (aligned to the AAI Attribute Specification):
- Unique ID / Principal Name
- Persistent and unique identifier that is always the same for a given user.
Has the form of #random number > 1000000#@guest-login.ch, e.g. 8713748166@guest-login.ch - Targeted ID/Persistent ID
- Persistent and unique identifier that is targeted, which means it is different when the same user accesses service A or service B. Has the form:
https://aai.guest-login.ch/idp/shibboleth!#entityID of Service Provider#!#random 28 character base64 string#, e.g.
https://aai.guest-login.ch/idp/shibboleth!https://aai-viewer.switch.ch/shibboleth!8Et2abSeJykRdR+PLukclHx5BcY= - Home organization / SCHAC home organization
- This attribute has always the value guest-login.ch
- Home organization Type
- This attribute has always the value others
- SCHAC home organization type
- This attribute has always the values urn:mace:terena.org:schac:homeOrganizationType:int:other and urn:mace:terena.org:schac:homeOrganizationType:ch:others
- E-mail address
- Self-supplied by the user. Before account creation, it gets verified once by a challenge-response email. It shouldn't be used for identification purposes because the user may change it later on! Any changed email address requires another one-time challenge-response verification.
- Given name
- Self-supplied by the user.
- Surname
- Self-supplied by the user.
- Display name / Common name
- This value is set to given name + " " + surname. Self-supplied by the user.
- Affiliation / Primary Affiliation
- The values is always affiliate
- Scoped Affiliation
- The values is always affiliate@guest-login.ch
- Scoped Affiliation
- The value is always affiliate@guest-login.ch
Optional Attributes
The following attributes can be optionally supplied by the user. Therefore, they are not available for every Guest Login account:
- Business address
- Self-supplied by the user. Address of the format Examplestreet 123$56789 Some place$Exampleland. Lines are separated with $ sign
- Business phone number
- Self-supplied by the user. Uses the international format (starting with a + followed by a number). E.g. +41 44 268 15 05
- Home address
- Self-supplied by the user. Address of the format Examplestreet 123$56789 Some place$Exampleland.
- Home phone number
- Self-supplied by the user. Uses the international format (starting with a + followed by a number). E.g. +41 44 268 15 05
- Mobile phone number
- Self-supplied by the user. Uses the international format (starting with a + followed by a number). E.g. +41 44 268 15 05
- Preferred language
- Self-supplied by the user. Currently only English, German, French and Italian can be selected.
Attribute Release
The Guest Login Identity Provider releases user attributes only to Service Providers registered in the SWITCHaai federation or the AAI Test federation, provided its administrator previously enabled Guest Login. All user attributes are released on every login, even if the service declared only a subset of the above attributes as required or desired attributes. Guest Login users have to consent to the attribute release before they access a service the first time and every time one of the attribute values changes.
How to Enable a Service Provider for Guest Login
After having understood the risks and implications described above Guest Login can be enabled by having a look at the Guest Login Configuration guide for further instructions.
Account Management and Deletion
Accounts are managed by the user himself. SWITCH will only manage accounts if there is a suspected breach of the terms of use. Accounts that are inactive (no logins with this account) for 380 days are deleted automatically after two warning emails that are sent after 360 days and 370 days of inactivity.
Abuse of Guest Login Accounts
SWITCH can deactivate or delete accounts at any time if an account is involved in a suspected breach of the Guest Login Terms of Use. In case you suspect the abuse of Guest Login accounts, please inform aai@switch.ch.
Monitoring and Logging
Login and audit data (which user accessed which service) is stored for 365 days.
Availability
The Guest Login service is provided as a "best-effort" service. There are no guarantees regarding availability. Maintenance work will take place outside office hours (18.00 to 8.00 and 12.00 to 14.00 CET). Maintenance work that is likely to cause service disruptions of more than one hour will be announced on the login page of the Guest Login service at least one week in advance.
Costs of the Service
Presently, the Guest Login service is free of charge. Should SWITCH decide in the future to introduce charges for the use of the Guest Login service, this will be announced to the concerned parties at least 6 months in advance.
Liability
By enabling Guest Login support a service operator agrees that SWITCH cannot be held responsible or liable for any actions of Guest Login users.
Cessation of Operation
Should SWITCH decide to terminate the Guest Login, this will be announced to all active Guest Login users at least 6 months in advance. Also, all technical contacts of services that were accessed by at least one Guest Login user within a year will be informed. In addition there will be announcements on relevant mailing lists like the AAI Operations mailing list.