Virtual Home Organization (VHO)
The Virtual Home Organization allows SWITCHaai resource administrators to create AAI accounts for users who need to access an AAI-protected resource but do not belong to a Home Organization in SWITCHaai.
In some cases there exist users that don't have an AAI account but nevertheless need to access an AAI-protected resource. Some real world examples of this scenario are:
- attendees of a further education or other training
- a collaboration project with members from private companies or foreign universities, which are not in the federation
Because these users are not member of any home organization in the federation, the resource owner would have to manage these accounts locally. The drawbacks of creating local accounts are:
- inefficient creation of accounts, possibly for more than one resources
- additional complexity due to additional authentication mechanism
From a resource administrator's point of view, it would be preferable to handle all users the same way, which implies that all users have an AAI account.
The VHO allows operators of an AAI service to create and manage AAI accounts which can be used to access AAI services. Whereas Guest Login accounts are not by default part of the SWITCHaai federation and are managed by users themselves via self-registration, VHO accounts are like normal AAI accounts and they can only be managed by VHO administrators.
VHO user accounts are structured into groups and optionally subgroups:
Subgroups are like normal groups but the administrators of the parent groups can also administrate subgroups.
Test the VHO Service
- username: switch-demoadmin
- password: demoadmin
Get your own VHO Group
To get your own VHO group or a subgroup below an existing group, please contact us to receive the service subscription form and for further details.
The VHO policy defines the rules for resource owners and SWITCH.
AAI VHO Policy
VHO specific Attributes
VHO users can be clearly distinguished from regular AAI users by their attributes. VHO users have set the following attributes:
swissEduPersonHomeOrganization = vho-switchaai.ch swissEduPersonHomeOrganizationType = vho eduPersonAffiliation = affiliate eduPersonEntitlement = <a VHO group specific value>
The eduPersonEntitlement value is guaranteed to use a unique prefix per VHO group. This is enforced by the VHO administration tool.
Restricted Access for VHO Users
In order to exclude all VHO end users to access certain content, use the above attributes to create access control rules which limit access for VHO users. Please consult the Shibboleth Access Control rule information for examples.
The eduPersonEntitlement value and allows SPs to authorize users from a specific VHO group by matching for the VHO group specific prefix.
Example: For the VHO group partner the prefix for the eduPersonEntitlement value is always http://partner-switchaai.ch/. For each user in the VHO group 'partner' we add a suffix that is specific per Federation Partner the person represents. So the eduPersonEntitlement the VHO provides for an SP administrator of the Federation Partner example.org would look like http://partner-switchaai.ch/example.org. That allows the SP administrator to authorize test access to his SP by matching for that value. This would block out all other VHO users.
Unannounced VHO maintenance works may be performed on Wednesdays between 7:00 and 8:00. During that time short service interruptions of 1-2 minutes at maximum may occur. In case of security emergencies or other serious problems, restarts may occur at other times as well. Planned service disruptions which take more than 10 minutes will be announced to all VHO group helpdesk email addresses beforehand.