Most users of the AAF belong to an AAF subscriber organisation, are in the organisation’s identity management system, and can use that organisation’s identity provider to log into connected services. This is known as their Home Organisation. For example, QUT is an AAF subscriber. If I am a staff member of QUT, I can log into AAF-connected services using QUT’s identity provider, and QUT is known as my Home Organisation.
However, in some cases it is desirable for users who don’t otherwise have an identity provider to be able to log into services via the AAF. Because they have no Home Organisation within the federation, these users can become part of the VirtualHome Organisation, or VHO.
The AAF Virtual Home Organisation (VHO) is an identity management system for individuals who need to access services via the AAF but who do not have an account with an AAF identity provider (IdP).
Organisational Spaces and Sub-Spaces
Every participating organisation in the AAF is entitled to a space within the AAF VHO. In general, when your organisation joins the federation and is registered with the AAF Federation Registry a VHO space will be created. The name of your space will be based on your organisation identifier that is embedded in the FQDN of your organisation. For example, the Queensland University of Technology has a FQDN of qut.edu.au - the space name will be QUT. The name can of course be changed if the derived name is not appropriate.
The space name is used to prefix all users' usernames within your space to ensure all usernames are unique across the whole AAF VHO while enabling you to use your own local methods for username creation.
An Organisation can request the creation of a Sub-Space via a request to the AAF support desk. A sub-space allows you to delegate the management of sub-set user accounts. For example, a sub-space may be created for a project group to test a new service. Management of the sub-space is delegated to the project group allowing them to create, modify and delete test accounts as required.
Becoming a Space administrator
When a space is created the first administrator is invited by the AAF VHO Administrator. This will generally occur when the organisation is registered in the AAF Federation Registry. The organisation's administrator (person who registered the organisation) will be sent an invitation by email. At the same time a VHO account will be created for the administrator in the organisation's space.
The administrator can either use the VHO account or their IdP account (if the IdP is configured in the federation) to login using the link provided in the invitation to become the first administrator.
You can also request the AAF to add an administrator to the VHO by sending a request to the AAF support desk.
Adding additional administrators
Once the first administrator has access, they can invite other administrators for the Space as follows:
- If you administer more than one space, first select the appropriate space
- Select the Manage Groups option
- Enter the email address of the person and a description in the Add group admin area
- Click the >> Invite button
- A screen will appear that asks you to send the invitation email by your default email application, either click the email icon or Send invitation email >>. This will start your email client and load it with the email message to be sent to the new administrator.
- Send the email
The following configuration tasks should be performed when you first receive administrator access. These tasks are performed under the Manage Groups option.
Help desk Information
Fill in the Website address, email address and phone number for your organisation's support or help desk under the Helpdesk information area. This information will be displayed on the AAF VHO Support page.
Your help desk team should be briefed about the AAF Federation and AAF VHO.
A number of mail templates are provided and will be used to send information to users. You should verify and update as necessary the content of these templates. The following templates are provided.
- New User - Username and password and information about selecting the AAF VHO when selecting an IdP to login with.
- Reset Password - The new password.
Creating a User
When creating a new user in the VHO you will need to provide some details of the person for which the account is being created. Some of this information may be sent to service providers that the user logins to. The user's consent to release attributes will be sought before the attributes are sent.
The following details are required.
| Username|| Yes||The username the user will login with. The username will always be prefixed with the organisation's space name. The remaining component can be anything you want (avoid using spaces or tabs). It is recommended that you use the user's organisational username for ease of use by the user.|
| Last Name||Recommended|| The user's Surname|
|First Name||Recommended||The user's first name - a preferred name is also acceptable.|
| Common Name||Yes||The common name should be composed of the user's "First name, a space, Last name", e.g "Fred Bloggs".|
If a user does not have a first name, then provide just the Last name.
|Display Name ||Yes||The display name is used by service providers to welcome the user to their site. The same value as provided by the common name is acceptable.|
| E-Mail||Yes||The user's public facing email address, e.g. "firstname.lastname@example.org".|
|Description|| Recommended||The description is provided for you to record any notes about the user and why they have been issued a VHO account. Use it as you see fit.|
This value will not be made available to any service provider.
| Affiliation||Yes||Select an appropriate value from the drop down list. The following values are available. The meaning of each value varies from one federation to the next. The AAF has attempted to use the most common meanings used globally and recommend use of only the highlighted values.|
The VHO tool only allows a user to belong to one affiliation at a time.
affiliate - Is intended to apply to people with whom the organisation has dealings, but to whom no general set of "community membership" privileges are extended.
staff - Professional and other staff who are not faculty
student - The person is an active student. He/she is entitled to participate in a study program in which he/she attends courses.
faculty - Academic or research staff
employee - The union of ‘Faculty’, ‘Staff’ and other persons on the institution’s payroll.
member - Is intended to include faculty, staff, student, and other persons with a basic set of privileges that go with membership in the organisation's community.
alum - This would be persons that are included in the institution’s alumni arrangements.
library-walk-in - A person physically present in the library.
|Assurance Level||Yes|| Only a value of "urn:mace:aaf.edu.au:iap:id:1" can be assigned to a user.|
Higher levels may be assigned to test account for testing a service that requires a higher level of assurance.
|Top-level Organisation||Recommended||The full display name of your Organisation. It is recommended that the same Organisation name used in your IdP be used here.|
|Shared Token||Leave Blank!||The Shared Token will be populated with a value the first time a user logs in.|
You can provide a Shared Token for a user if they provide a verified and valid value from an organisation they were previously associated with.
|Expiration date||Yes||The date when the account will expire.|
The following operations can be performed on users from the List Users option or while viewing a user. To view a user, click on their username from the list of users.
- Expire - The user's expiry date / time will be set to now. The user will not be able to login. To un-expire a user, edit their details and set the expiry date to a date in the future.
- Delete - The user will be marked for deletion. The account can be undeleted up until it is actually deleted from the system. To do so, view the user and select the undelete button. When a user is undeleted their password is reset. The user must be sent the new password to allow them to login again.
- Reset Password - A new password is generated for the user. The password must be emailed to the user.
- Edit details - All of the user's attributes may be modified except their username. You must click on the save button to make the changes permanent.
If your require assistance using the AAF VHO tool please contact the AAF Support desk.