• Sicurezza & Identità
• Autenticazione
  • About AAI
  • Participants
  • Join AAI
    • SWITCH Community
    • Federation Partners
    • Virtual Home Organization
  • Support & Downloads
  • Demo
  • Contatto
• Emergenze informatiche
• Certificati

Virtual Home Organization (VHO)

The Virtual Home Organization allows SWITCHaai resource administrators to create AAI accounts for users who need to access an AAI-protected resources but do not belong to a Home Organization in SWITCHaai.

About the VHO and its purpose

In some cases there exist users that don't have an AAI account but nevertheless need to access an AAI-protected resource. Some real world examples of this scenario are:

• attendees of a further education or other training
• a collaboration project with members from private companies or foreign universities, which are not in the federation

Because these users are not member of any home organization in the federation, the resource owner would have to manage these accounts locally. The drawbacks of creating local accounts are:

• inefficient creation of accounts, possibly for more than one resources
• additional complexity due to aditional authentication mechanism

From a resource administrator's point of view, it would be preferable to handle all users the same way, which implies that all users have an AAI account.

A simple solution for this issue is provided by the Virtual Home Organization (VHO). The VHO is just another Identity Provider within the federation. It provides user accounts structured into groups with optional subgroups:

More information on how to use the VHO service

Try out the VHO service

Are you a prospective VHO administrator and want to get familiar with the administration tool and its features?

Just click on this link https://tools.test.vho-switchaai.ch/ and login as demo administrator with the following credentials:

• username: switch-demoadmin
• password: demoadmin

You will be VHO administrator from three different VHO groups with 99 VHO end users each.

Join the VHO service

If you want your own VHO group, contact us for further details.

VHO Policy

The VHO policy defines the rules for resource owners and SWITCH.

AAI VHO Policy [PDF, 11 pages, 141 kByte]

How to distinguish VHO users at a Resource using attributes

In order to clearly distinguish VHO end users from ‘regular’ users, some of their attributes are specific:

  swissEduPersonHomeOrganization     = vho-switchaai.ch
  swissEduPersonHomeOrganizationType = vho
  eduPersonAffiliation               = affiliate

Restricted Access Rules

In order to exclude all VHO end users from access to a resource that runs on an Apache web server, you may define the following exclusion rule in the configuration file:

  require homeOrganizationType ~ ^[^vV][^hH][^oO]