Most users of Tuakiri belong to a Tuakiri subscriber organisation, are in the organisation’s identity management system, and can use that organisation’s identity provider to log into connected services. This is known as their Home Organisation. For example, NIWA is a Tuakiri subscriber. If I am a staff member of NIWA, I can log into Tuakiri-connected services using NIWA’s identity provider, and NIWA is known as my Home Organisation.
However, in some cases it is desirable for users who don’t otherwise have an identity provider to be able to log into services via Tuakiri. Because they have no Home Organisation within the federation, these users can become part of the Tuakiri Virtual Home (VH).
The Tuakiri Virtual Home is an identity management system for individuals who need to access services via Tuakiri, but who do not have an account with a Tuakiri identity provider.
The VH can be used in the following cases:
No. In the cases above you will notice that an individual with an account in the VH is always sponsored by an organisation that has joined Tuakiri. This means the organisation is bound by the Federation Rules. By adding the individual to the VH, that organisation takes on the identity provider’s responsibilities with respect to that individual.
Tuakiri participant organisations each have their own section in the VH where they manage their users. For every organisation that is created on the Tuakiri Federation Registry, a section is created on the VH automatically. This means that if your organisation runs an IdP and / or one or more SPs in Tuakiri, the VH carries a section for your organisation. If you would like to become a manager for your organisation’s section, please send a request to firstname.lastname@example.org.
When your organisation joins Tuakiri, they nominate an administrator who will manage their section of the VH. This person can then delegate the authority to others in your organisation. Subsections can also be added by their own administrators. You might want to do this, for example, if one of your university’s faculties or research centres needs to add users to the VH. You must request the addition of a subsection within your organisation’s section via a request to email@example.com.
The VH supports all of Tuakiri’s core attributes. It is possible to have additional attributes added. Please contact firstname.lastname@example.org with information about the attribute name, URN, description, and an explanation of how it is expected to be used.
No. For these users the value of the schacHomeOrganization attribute will be virtualhome.tuakiri.ac.nz. It is however possible to change the value of this attribute for users in your section of the VH, adding a prefix corresponding to your organization (and possibly also another prefix corresponding to the user group). Please contact email@example.com if you would like to have this setting changed. Also, note that the value of the Organization Name attribute would be matching the (human readable) name of your organization as registered in the Federation Registry.
No. In the grid community, the term virtual organisation means a group of users authorised to share a set of files and resources. This can create some confusion with the term Virtual Home. The VH is not used for group authorisation. It is simply a surrogate identity provider for users who don’t otherwise have one.
Usually not. Using the VH in this way is only an option if you have a very small number of users who need to access Tuakiri-connected services. If you have your own user directory or identity management system and more than a few of these individuals need to access services, it will be better for you to run your own IdP. An important benefit of Tuakiri is that it allows the user’s credentials, issued by their home organisation, to be accepted in more places. Users in the VH miss out on this benefit because they will have an additional username and password to remember. You will also have additional overhead in provisioning, deprovisioning, and maintaining users in the VH. It will be easier for you if this information is automatically populated to your IdP from your internal user directory or identity management system.
There is currently no defined process or tools for this. Transferring a user and ensuring their continuity of service will vary from SP to SP. For SPs that use the auEduPersonSharedToken as a unique ID to identify their users, a transfer of the Shared Token will be required. The user’s Shared Token is visible within the VH administration tool. It needs to be imported into the organisation’s identity system on behalf of the user. For SPs that use the eduPersonTargetedID the user, when transferred, will look like a new user to the service.