Virtual Home Organization (VHO)
The Virtual Home Organization allows Switch edu-ID resource administrators to create edu-ID accounts for users who need to access an edu-ID-protected resource but do not belong to a Home Organization in Switch edu-ID.
Purpose
In some cases there exist users that don't have an edu-ID account but nevertheless need to access an edu-ID-protected resource. Some real world examples of this scenario are:
- attendees of a further education or other training
- a collaboration project with members from private companies or foreign universities, which are not in the federation
Because these users are not member of any home organization in the federation, the resource owner would have to manage these accounts locally. The drawbacks of creating local accounts are:
- inefficient creation of accounts, possibly for more than one resources
- additional complexity due to additional authentication mechanism
From a resource administrator's point of view, it would be preferable to handle all users the same way, which implies that all users have an edu-ID account.
Two simple solutions for this issue:
- Virtual Home Organization (VHO)
The VHO allows operators of an edu-ID service to create and manage edu-ID accounts that can be used to access edu-ID services. For all users of the same VHO group the VHO service guarantees that they all share a unique prefix in the eduPersonEntitlement value. This allows services to easily authorize access for certain VHO groups only, if so required (see below).
The VHO is a dedicated Identity Provider operated by SWITCH within the Switch edu-ID Federation. - Switch edu-ID service
Switch edu-ID accounts are self-managed user accounts based on self-registration.
VHO user accounts are structured into groups and optionally subgroups:
Subgroups are like normal groups but the administrators of the parent groups can also administrate subgroups.
More information on how to use the VHO service
Get your own VHO Group
To get your own VHO group or a subgroup below an existing group, please contact us to receive the service subscription form and for further details.
VHO Policy
The VHO policy defines the rules for resource owners and Switch.
AAI VHO Policy
[11 pages]
VHO specific Attributes
VHO users can be clearly distinguished from regular edu-ID users by their attributes. VHO users have set the following attributes:
swissEduPersonHomeOrganization = vho-switchaai.ch swissEduPersonHomeOrganizationType = vho eduPersonAffiliation = affiliate eduPersonEntitlement = <a VHO group specific value>
The eduPersonEntitlement value is guaranteed to use a unique prefix per VHO group. This is enforced by the VHO administration tool.
Restricted Access for VHO Users
To either block all VHO users from accessing certain content or to specifically enable access for VHO users from one or more specific groups, use the above attributes to create access control rules that restrict access as required. Consult the Shibboleth Access Control rule information for examples.
The eduPersonEntitlement value and allows SPs to authorize users from a specific VHO group by matching for the VHO group specific prefix.
Example: For the VHO group partner the prefix for the eduPersonEntitlement value is always http://partner-switchaai.ch/. For each user in the VHO group 'partner' we add a suffix that is specific per Federation Partner the person represents. So the eduPersonEntitlement the VHO provides for an SP administrator of the Federation Partner example.org would look like http://partner-switchaai.ch/example.org. That allows the SP administrator to authorize test access to his SP by matching for that value. This would block out all other VHO users.
Maintenance
Unannounced VHO maintenance works may be performed on Wednesdays between 7:00 and 8:00. During that time short service interruptions of 1-2 minutes at maximum may occur. In case of security emergencies or other serious problems, restarts may occur at other times as well. Planned service disruptions which take more than 10 minutes will be announced to all VHO group helpdesk email addresses beforehand.