Guest Login for AAI Services

This page explains the purpose and use of the Guest Login feature for AAI service operators.

Background

Some AAI services need to grant access to users who don't have an AAI account. For that, service operators could use the Virtual Home Organization (VHO) to create AAI accounts for these users. However, creating and managing a VHO group requires time and know-how. Therefore, it may not always be the best option. The Guest Login service is an alternative for services that do not require verified user data but only need a login service.

The Guest Login Identity Provider is a dedicated Identity Provider that is not part of the SWITCHaai Federation nor the AAI Test Federation. If a service operator wants to make use of the Guest Login, it has to be manually configured. It will allow arbitrary users to create and use their Guest Login account in order to access that service.

Audience

The Guest Login service can only be used by Service Providers registered in the SWITCHaai Federation or the AAI Test Federation. In addition the Service Provider have to specifically enable Guest Login by following the instructions below.

How it works

The Guest Login offers users without an AAI account to create a Guest Login account via self-registration. The user provides name, email address and optional data like postal address and phone numbers. The email address gets then verified by sending an email to that address with a confirmation link. Once confirmed, the user can use the Guest Login account to access the services mentioned above in the audience section.

Technically, the account can be used like a regular AAI account. However, it is formally not an AAI account since the Guest Login Identity Provider is neither part of the SWITCHaai federation nor the AAI Test federation. The same Guest Login account can be used to access multiple services that accept Guest Login users. Therefore, there is no need to create individual Guest Login accounts per service. On the other hand, the same user may decide to create multiple Guest Login accounts, provided he has more than one valid email address.

Comparing Guest Login with the Virtual Home Organization (VHO)

The Virtual Home Organization (VHO) operated by SWITCH for the SWITCHaai federation has a similar purpose like the Guest Login. However, there are some differences that are outlined below.

VHO vs Guest Login

Topic Guest Login Virtual Home Organization (VHO)
Policy and regulations
for managing accounts
No Yes
Papers to sign No Yes
Accounts can be used
for more than one service
Yes Generally no
Responsibility of
account management
User himself VHO Group administrator(s)
In SWITCHaai and
AAI Test federation
No Yes
Data quality of
user information
Poor, user can modify his own data Controllable by VHO administrator(s)

Account Creation

Every Internet user with a valid email address can create a Guest Login account. Only one account per email address can be created. Only the email address of a user is verified during account creation.

User Terms of Use

Becore creating a Guest Login account and before using it the first time to access a service, Guest Login users first have to agree to the Guest Login Terms of Use.

Quality of Identity Data

Since Guest Login accounts can be created via self-registration with self-provided information, nobody should rely on the quality of the Guest Login user data. Only the email address of a user is verified during account creation. The email address is confirmed with a challenge-response procedure. All further personal attributes can be set and changed by the Guest Login user himself according to the Guest Login Attribute Profile specified below.

Therefore, it is recommended to ensure that access for Guest Login users to certain content or functions in an application is limited. Please consult the Guest Login Configuration guide (bottom of the page) or have a look at the Shibboleth access control features for further information and hints on this topic.

Attributes Always Available

Every Guest Login account has at minimum the following attributes (aligned to the AAI Attribute Specification):

Unique ID / Principal Name
Persistent and unique identifier that is always the same for a given user.
Has the form of #random number > 1000000#@guest-login.ch, e.g. 8713748166@guest-login.ch
Targeted ID/Persistent ID
Persistent and unique identifier that is targeted, which means it is different when the same user accesses service A or service B. Has the form:
https://aai.guest-login.ch/idp/shibboleth!#entityID of Service Provider#!#random 28 character base64 string#, e.g.
https://aai.guest-login.ch/idp/shibboleth!https://aai-viewer.switch.ch/shibboleth!8Et2abSeJykRdR+PLukclHx5BcY=
Home organization / SCHAC home organization
This attribute has always the value guest-login.ch
Home organization Type
This attribute has always the value others
SCHAC home organization type
This attribute has always the values urn:mace:terena.org:schac:homeOrganizationType:int:other and urn:mace:terena.org:schac:homeOrganizationType:ch:others
E-mail address
Self-supplied by the user. Before account creation, it gets verified once by a challenge-response email. It shouldn't be used for identification purposes because the user may change it later on! Any changed email address requires another one-time challenge-response verification.
Given name
Self-supplied by the user.
Surname
Self-supplied by the user.
Display name / Common name
This value is set to given name + " " + surname. Self-supplied by the user.
Affiliation / Primary Affiliation
The values is always affiliate
Scoped Affiliation
The values is always affiliate@guest-login.ch
Scoped Affiliation
The value is always affiliate@guest-login.ch

Optional Attributes

The following attributes can be optionally supplied by the user. Therefore, they are not available for every Guest Login account:

Business address
Self-supplied by the user. Address of the format Examplestreet 123$56789 Some place$Exampleland. Lines are separated with $ sign
Business phone number
Self-supplied by the user. Uses the international format (starting with a + followed by a number). E.g. +41 44 268 15 05
Home address
Self-supplied by the user. Address of the format Examplestreet 123$56789 Some place$Exampleland.
Home phone number
Self-supplied by the user. Uses the international format (starting with a + followed by a number). E.g. +41 44 268 15 05
Mobile phone number
Self-supplied by the user. Uses the international format (starting with a + followed by a number). E.g. +41 44 268 15 05
Preferred language
Self-supplied by the user. Currently only English, German, French and Italian can be selected.

Attribute Release

The Guest Login Identity Provider releases user attributes only to Service Providers registered in the SWITCHaai federation or the AAI Test federation, provided its administrator previously enabled Guest Login. All user attributes are released on every login, even if the service declared only a subset of the above attributes as required or desired attributes. Guest Login users have to consent to the attribute release before they access a service the first time and every time one of the attribute values changes.

How to Enable a Service Provider for Guest Login

After having understood the risks and implications described above Guest Login can be enabled by having a look at the Guest Login Configuration guide for further instructions.

Account Management and Deletion

Accounts are managed by the user himself. SWITCH will only manage accounts if there is a suspected breach of the terms of use. Accounts that are inactive (no logins with this account) for 380 days are deleted automatically after two warning emails that are sent after 360 days and 370 days of inactivity.

Abuse of Guest Login Accounts

SWITCH can deactivate or delete accounts at any time if an account is involved in a suspected breach of the Guest Login Terms of Use. In case you suspect the abuse of Guest Login accounts, please inform aai@switch.ch.

Monitoring and Logging

Login and audit data (which user accessed which service) is stored for 365 days.

Availability

The Guest Login service is provided as a "best-effort" service. There are no guarantees regarding availability. Maintenance work will take place outside office hours (18.00 to 8.00 and 12.00 to 14.00 CET). Maintenance work that is likely to cause service disruptions of more than one hour will be announced on the login page of the Guest Login service at least one week in advance.

Costs of the Service

Presently, the Guest Login service is free of charge. Should SWITCH decide in the future to introduce charges for the use of the Guest Login service, this will be announced to the concerned parties at least 6 months in advance.

Liability

By enabling Guest Login support a service operator agrees that SWITCH cannot be held responsible or liable for any actions of Guest Login users.

Cessation of Operation

Should SWITCH decide to terminate the Guest Login, this will be announced to all active Guest Login users at least 6 months in advance. Also, all technical contacts of services that were accessed by at least one Guest Login user within a year will be informed. In addition there will be announcements on relevant mailing lists like the AAI Operations mailing list.