Introduction
The AAF Virtual Home (VH) is an identity provider service run by the AAF on behalf of subscriber organisations. The VH identity provider participates in the Federation and provides almost the same access for its accounts as any other federation identity provider. Subscriber organisations create and manage user accounts for their external members and industry partners. These user accounts enable industry partners to collaborate with research institutions, universities and other subscribers of the federation and share resources accessible via the AAF or eduGAIN service.
The users of the accounts created and managed through VH should select AAF Virtual Home as the organisation which will process their credentials when accessing AAF protected resources. Ideally, these users would not have an account in the subscribing institution’s authentication and user repository.
A subscriber’s help desk team should be fully aware of the AAF Federation and AAF VH. Both involve access to systems and services outside of an organisation. Additionally, VH may also provide access for non-members to services available in the Federation.
This article gives a brief overview of the administrative functions available for managing an organisation’s VH identity provider. A User’s Guide is also available.
Details
Accessing the Virtual Home Admin Portal
The AAF Virtual Home (VH) is a special identity provider service run by the AAF on behalf of subscriber organisations. The VH is now available on the AAFs Rapid Identity Provider service. The VH administrative Dashboard manages all organisations, groups, and accounts within the VH identity provider.
To access the administrative Dashboard, go to https://vho.aaf.edu.au/ and click Login to the AAF Virtual Home Manger. Administrative access is available via your institutional credentials. If these credentials do not provide access and there was an expectation to administrative access on VH, get in touch with the AAF Support Team support@aaf.edu.au to resolve the access issue.
On successful login, a Dashboard of the groups, and if available, organisations for which a user has administrative privileges is available. There are two types of administrator roles available: Organisation and Group, who share the same management interface. An Organisation administrator can manage groups and user accounts. A Group administrator can only manage user accounts. This guide illustrates these roles using the Example Organisation organisation and the Default Group group. Select an organisation from the Dashboard (main page) and find the Actions menu.
Creating a group
To create a group first choose the appropriate organisation from the Dashboard. Groups can only be associated with a single organisation. When the organisation Dashboard is active select the Actions menu, then select the Create Group option and follow the prompts completing the mandatory boxes.
Creating a user account
To add a user account first choose the appropriate group from the Dashboard. From the group's Dashboard, select the Actions menu and then select the Create User option. Complete the mandatory fields and save the form to send an invitation to the recipient. The nominated user will receive a welcome email with a web link to complete their account creation. The recipient uses the web link to validate their email address and complete their registration. A new user can set their username and password at this time. Note that accounts are unique across the VH service and the email address is the unique key. A pending invitation can be revoked at any time before the recipient successfully authenticates.
Responsibility for the users and groups within a VH organisation remain solely with an organisation's Authorising Officer. All users agree to abide by the Federation Rules when they accept a VH invitation. Administrators are accountable for satisfactory management of users and groups; and ensuring users adhere to the Federation Rules.
Customising the invitation email message
Administrators may customise the invitation message sent to users. An invitation will add users to groups which belong to organisations. Select the group from the Dashboard and then from the Actions menu select Edit. This form permits renaming the group, setting the description, and crafting a welcome message. Each group has a unique and optional welcome message.
As the invitation might be the first communication from a collaboration or an administrator, be descriptive and outline the purpose or function of the group. The inclusion of contact details for the inviter or group administrator provides a useful validation feature.
Adding an administrator
A user can be an administrator of an organisation or a group. To add an administrator chose an organisation or a group from the Dashboard and then from the Action menu select Administrators. Then, from the Action menu select Invite Administrator and complete the invitation form.
Enable two-factor verification for users
Two-factor verification is an additional security measure for user accounts. Once every ninety (90) days, the user will need to supply the second factor in addition to a username and password on login. Typically, a mobile authentication application generates the codes for this second factor. Popular authentication applications are Google Authenticator, Authy and DuoMobile.
To enable two-factor verification, select a group from the Dashboard and then from the Action menu select Edit. Enable the option and save the change to set Force Two Step for all the users in that group.
To enable two-factor verification for a single account, create a new group and enable Force Two Step, and add the user to the group. The option to configure a second factor will be available to the user on subsequent logins.
Links
AAF VH support articles: https://support.aaf.edu.au/support/solutions
Contact the AAF Support Team: https://support.aaf.edu.au/support/home