Virtual Home Organization (VHO)

The Virtual Home Organization allows Switch edu-ID resource administrators to create edu-ID accounts for users who need to access an edu-ID-protected resource but do not belong to a Home Organization in Switch edu-ID.

Purpose

In some cases there exist users that don't have an edu-ID account but nevertheless need to access an edu-ID-protected resource. Some real world examples of this scenario are:

  • attendees of a further education or other training
  • a collaboration project with members from private companies or foreign universities, which are not in the federation

Because these users are not member of any home organization in the federation, the resource owner would have to manage these accounts locally. The drawbacks of creating local accounts are:

  • inefficient creation of accounts, possibly for more than one resources
  • additional complexity due to additional authentication mechanism

From a resource administrator's point of view, it would be preferable to handle all users the same way, which implies that all users have an edu-ID account.

Two simple solutions for this issue:

  • Virtual Home Organization (VHO)
    The VHO allows operators of an edu-ID service to create and manage edu-ID accounts that can be used to access edu-ID services. For all users of the same VHO group the VHO service guarantees that they all share a unique prefix in the eduPersonEntitlement value. This allows services to easily authorize access for certain VHO groups only, if so required (see below).
    The VHO is a dedicated Identity Provider operated by SWITCH within the Switch edu-ID Federation.
  • Switch edu-ID service
    Switch edu-ID accounts are self-managed user accounts based on self-registration.

VHO user accounts are structured into groups and optionally subgroups:

VHO overview

Subgroups are like normal groups but the administrators of the parent groups can also administrate subgroups.

More information on how to use the VHO service

Get your own VHO Group

To get your own VHO group or a subgroup below an existing group, please contact us to receive the service subscription form and for further details.

VHO Policy

The VHO policy defines the rules for resource owners and Switch.

AAI VHO Policy [11 pages]

VHO specific Attributes

VHO users can be clearly distinguished from regular edu-ID users by their attributes. VHO users have set the following attributes:

  swissEduPersonHomeOrganization     = vho-switchaai.ch
  swissEduPersonHomeOrganizationType = vho
  eduPersonAffiliation               = affiliate
  eduPersonEntitlement               = <a VHO group specific value>

The eduPersonEntitlement value is guaranteed to use a unique prefix per VHO group. This is enforced by the VHO administration tool.

Restricted Access for VHO Users

To either block all VHO users from accessing certain content or to specifically enable access for VHO users from one or more specific groups, use the above attributes to create access control rules that restrict access as required. Consult the Shibboleth Access Control rule information for examples.

The eduPersonEntitlement value and allows SPs to authorize users from a specific VHO group by matching for the VHO group specific prefix.

Example: For the VHO group partner the prefix for the eduPersonEntitlement value is always http://partner-switchaai.ch/. For each user in the VHO group 'partner' we add a suffix that is specific per Federation Partner the person represents. So the eduPersonEntitlement the VHO provides for an SP administrator of the Federation Partner example.org would look like http://partner-switchaai.ch/example.org. That allows the SP administrator to authorize test access to his SP by matching for that value. This would block out all other VHO users.

Maintenance

Unannounced VHO maintenance works may be performed on Wednesdays between 7:00 and 8:00. During that time short service interruptions of 1-2 minutes at maximum may occur. In case of security emergencies or other serious problems, restarts may occur at other times as well. Planned service disruptions which take more than 10 minutes will be announced to all VHO group helpdesk email addresses beforehand.