What is the Virtual Home Organisation?

Most users of the AAF belong to an AAF subscriber organisation, are in the organisation’s identity management system, and can use that organisation’s identity provider to log into connected services. This is known as their Home Organisation. For example, QUT is an AAF subscriber. If I am a staff member of QUT, I can log into AAF-connected services using QUT’s identity provider, and QUT is known as my Home Organisation.

However, in some cases it is desirable for users who don’t otherwise have an identity provider to be able to log into services via the AAF. Because they have no Home Organisation within the federation, these users can become part of the Virtual Home Organisation, or VHO.

The AAF Virtual Home Organisation (VHO) is an identity management system for individuals who need to access services via the AAF but who do not have an account with an AAF identity provider (IdP).

Who can have an account in the VHO?

The VHO can be used in the following cases.

1. Your organisation has joined the AAF but doesn’t have an identity provider (IdP) yet. There may be a few users who need to access services now, before you have a chance to get your IdP up and running. You can add these users to the VHO.
2. Your organisation has joined the AAF but has only a small number of users and does not intend to run an IdP. You can add your users to the VHO. This case includes service providers who need to access the Federation Registry service or to test access to their own services.
3. Your organisation has joined the AAF and has its own IdP up and running. However there are a few individuals who are not in your identity management system who need to access AAF-connected services in order to collaborate with other users in your organisation. You can in effect sponsor these individuals and add them to the VHO. This enables them to access AAF-connected services without having an account in your identity management system.

If anyone can be in the VHO, doesn’t that negate the trust in the federation?

No. Notice in the cases above that an individual with an account in the VHO is always sponsored by an organisation that has joined the AAF. This means the organisation is bound by the Federation Rules. By adding the individual to the VHO that organisation takes on the identity provider’s responsibilities with respect to that individual.

How is the VHO organised?

AAF participant organisations each have their own section in the VHO, where they manage their own users. Currently these sections are created on request rather than automatically. If you need a section in the VHO please send a request to support@aaf.edu.au.

Who manages my organisation’s section of the VHO?

When your organisation joins the AAF they nominate an administrator who will manage their section of the VHO. This person can then delegate the authority to others in your organisation. Subsections can also be added with their own administrators. You might want to do this, for example, if one of your university’s faculties or research centres needs to add users to the VHO. You must request the addition of a subsection within your organisation’s section via a request to support@aaf.edu.au.

What attributes can be populated about users in the VHO?

The VHO supports all of the AAF core attributes. It is possible to have additional attributes added. Please contact support@aaf.edu.au with information about the attribute name, URN, description, and an explanation of how it is expected to be used.

Will the users in my section of the VHO appear to come from my organisation?

No. For these users the value of the schacHomeOrganization attribute will be vho.aaf.edu.au. It is possible to change the value of this attribute for users in your section of the VHO. Please contact support@aaf.edu.au if you would like to have this setting changed.

Does the VHO handle group management?

No. In the grid community the term virtual organisation means a group of users authorised to share a set of files and resources. This can create some confusion with the term Virtual Home Organisation. The VHO is not used for group authorisation. It is simply a surrogate identity provider for users who don’t otherwise have one.

It sounds like I can use the VHO as an alternative to running my own IdP. Is this a good idea?

Usually not. Using the VHO in this way is only an option if you have a very small number of users who need to access AAF-connected services. If you have your own user directory or identity management system and more than a few of these individuals need to access services, it will be better for you to run your own IdP. An important benefit of the AAF is that it allows the user’s credentials, issued by their home organisation, to be accepted in more places. Users in the VHO miss out on this benefit because they will have an additional username and password to remember. You will also have additional overhead in provisioning, deprovisioning, and maintaining users in the VHO. It will be easier for you if this information is automatically populated to your IdP from your internal user directory or identity management system.

What happens if I added a user to the VHO and now I want to put them in my organisation’s own IdP?

There is currently no defined process or tools for this. Transferring a user and ensuring their continuity of service will vary from SP to SP. For SPs that use the auEduPersonSharedToken as a unique ID to identify their users, a transfer of the Shared Token will be required. The user’s Shared Token is visible within the VHO administration tool. It needs to be imported into the organisation’s identity system on behalf of the user. For SPs that use the eduPersonTargetedID the user when transferred will look like a new user to the service.