Virtual Home Organization (VHO)

The Virtual Home Organization allows SWITCHaai resource administrators to create AAI accounts for users who need to access an AAI-protected resource but do not belong to a Home Organization in SWITCHaai.

Purpose

In some cases there exist users that don't have an AAI account but nevertheless need to access an AAI-protected resource. Some real world examples of this scenario are:

  • attendees of a further education or other training
  • a collaboration project with members from private companies or foreign universities, which are not in the federation

Because these users are not member of any home organization in the federation, the resource owner would have to manage these accounts locally. The drawbacks of creating local accounts are:

  • inefficient creation of accounts, possibly for more than one resources
  • additional complexity due to additional authentication mechanism

From a resource administrator's point of view, it would be preferable to handle all users the same way, which implies that all users have an AAI account.

Two simple solutions for this issue are provided by the Virtual Home Organization (VHO) and the Guest Login. The VHO is a special Identity Provider operated by SWITCH within the SWITCHaai federation.

The VHO allows operators of an AAI service to create and manage AAI accounts which can be used to access AAI services. Whereas Guest Login accounts are not by default part of the SWITCHaai federation and are managed by users themselves via self-registration, VHO accounts are like normal AAI accounts and they can only be managed by VHO administrators.

VHO user accounts are structured into groups and optionally subgroups:

VHO overview

Subgroups are like normal groups but the administrators of the parent groups can also administrate subgroups.

More information on how to use the VHO service

Test the VHO Service

Prospective VHO administrator can test the VHO administration tool and its features. Just click on this link https://tools.test.vho-switchaai.ch/ and login as demo administrator with the following credentials:
  • username: switch-demoadmin
  • password: demoadmin

You will be VHO administrator from three different VHO groups with 99 VHO end users each.

Get your own VHO Group

To get your own VHO group or a subgroup below an existing group, please contact us to receive the service subscription form and for further details.

VHO Policy

The VHO policy defines the rules for resource owners and SWITCH.

AAI VHO Policy [11 pages]

VHO specific Attributes

VHO users can be clearly distinguished from regular AAI users by their attributes. VHO users have set the following attributes:

  swissEduPersonHomeOrganization     = vho-switchaai.ch
  swissEduPersonHomeOrganizationType = vho
  eduPersonAffiliation               = affiliate
  eduPersonEntitlement               = <a VHO group specific value>

The eduPersonEntitlement value is guaranteed to use a unique prefix per VHO group. This is enforced by the VHO administration tool.

Restricted Access for VHO Users

In order to exclude all VHO end users to access certain content, use the above attributes to create access control rules which limit access for VHO users. Please consult the Shibboleth Access Control rule information for examples.

The eduPersonEntitlement value and allows SPs to authorize users from a specific VHO group by matching for the VHO group specific prefix.

Example: For the VHO group partner the prefix for the eduPersonEntitlement value is always http://partner-switchaai.ch/. For each user in the VHO group 'partner' we add a suffix that is specific per Federation Partner the person represents. So the eduPersonEntitlement the VHO provides for an SP administrator of the Federation Partner example.org would look like http://partner-switchaai.ch/example.org. That allows the SP administrator to authorize test access to his SP by matching for that value. This would block out all other VHO users.

Maintenance

Unannounced VHO maintenance works may be performed on Wednesdays between 7:00 and 8:00. During that time short service interruptions of 1-2 minutes at maximum may occur. In case of security emergencies or other serious problems, restarts may occur at other times as well. Planned service disruptions which take more than 10 minutes will be announced to all VHO group helpdesk email addresses beforehand.