Virtual Home (VH)
What is the AAF Virtual Home?
Most users of the AAF belong to an AAF subscriber organisation, are in the organisation’s identity management system, and can use that organisation’s identity provider to log into connected services. This is known as their Home Organisation. For example, QUT is an AAF subscriber. If I am a staff member of QUT, I can log into AAF-connected services using QUT’s identity provider, and QUT is known as my Home Organisation.
However, in some cases it is desirable for users who don’t otherwise have an identity provider to be able to log into services via the AAF. Because they have no Home Organisation within the federation, these users can become part of the AAF Virtual Home (AAF VH).
The AAF Virtual Home (VH) is an identity management system for individuals who need to access services via the AAF but who do not have an account with an AAF identity provider (IdP).
Who can have an account in the VH?
The VH can be used in the following cases:
- Your organisation has joined the AAF but doesn’t have an identity provider (IdP) yet. There may be a few users who need to access services now, before you have a chance to get your IdP up and running. You can add these users to the VH.
- Your organisation has joined the AAF but has only a small number of users and does not intend to run an IdP. You can add your users to the VH. This case includes service providers who need to access the Federation Registry service or to test access to their own services.
- Your organisation has joined the AAF and has its own IdP up and running. However, there are a few individuals who are not in your identity management system who need to access AAF-connected services in order to collaborate with other users in your organisation. You can in effect sponsor these individuals and add them to the VH. This enables them to access AAF-connected services without having an account in your identity management system.
If anyone can be in the VH, doesn’t that negate the trust in the federation?
No. In the cases above you will notice that an individual with an account in the VH is always sponsored by an organisation that has joined the AAF. This means the organisation is bound by the Federation Rules. By adding the individual to the VH, that organisation takes on the identity provider’s responsibilities with respect to that individual.
How is the VH organised?
AAF participant organisations each have their own section in the VH where they manage their own users. Currently these sections are created on request rather than automatically. If you need a section in the VH, please send a request to email@example.com.
Who manages my organisation’s section of the VH?
When your organisation joins the AAF they nominate an administrator who will manage their section of the VH. This person can then delegate the authority to others in your organisation. Subsections can also be added by their own administrators. You might want to do this, for example, if one of your university’s faculties or research centres needs to add users to the VH. You must request the addition of a subsection within your organisation’s section via a request to firstname.lastname@example.org.
What attributes can be populated about users in the VH?
The VH supports all of the AAF core attributes. It is possible to have additional attributes added. Please contact email@example.com with information about the attribute name, URN, description, and an explanation of how it is expected to be used.
Will the users in my section of the VH appear to come from my organisation?
No. For these users the value of the schacHomeOrganization attribute will be vho.aaf.edu.au. It is possible to change the value of this attribute for users in your section of the VH. Please contact firstname.lastname@example.org if you would like to have this setting changed.
Does the VH handle group management?
No. In the grid community the term virtual organisation means a group of users authorised to share a set of files and resources. This can create some confusion with the term Virtual Home. The VH is not used for group authorisation. It is simply a surrogate identity provider for users who don’t otherwise have one.
It sounds like I can use the VH as an alternative to running my own IdP. Is this a good idea?
Usually not. Using the VH in this way is only an option if you have a very small number of users who need to access AAF-connected services. If you have your own user directory or identity management system and more than a few of these individuals need to access services, it will be better for you to run your own IdP. An important benefit of the AAF is that it allows the user’s credentials, issued by their home organisation, to be accepted in more places. Users in the VH miss out on this benefit because they will have an additional username and password to remember. You will also have additional overhead in provisioning, deprovisioning, and maintaining users in the VH. It will be easier for you if this information is automatically populated to your IdP from your internal user directory or identity management system.
What happens if I added a user to the VH and now I want to put them in my organisation’s own IdP?
There is currently no defined process or tools for this. Transferring a user and ensuring their continuity of service will vary from SP to SP. For SPs that use the auEduPersonSharedToken as a unique ID to identify their users, a transfer of the Shared Token will be required. The user’s Shared Token is visible within the VH administration tool. It needs to be imported into the organisation’s identity system on behalf of the user. For SPs that use the eduPersonTargetedID the user, when transferred, will look like a new user to the service.