background-color: #EEEEEE;
padding: 3px;
}
- .fixedwidth
+ .fixed
{
font-family: monospace;
font-size: 90%;
</style></head><body link="red" vlink="red" alink="black" bgcolor="white">
InQueue Federation Policy and Configuration Guidelines<br>
- Version 1.1<br />
- August 4, 2003<br />
+ Version 1.2<br />
+ May 17, 2004<br />
<h3>InQueue Federation Policy and Configuration Guidelines</h3>
appropriate set of trusted roots for the issuance of SSL
certificates that Shibboleth trusts. For InQueue, this list may
be obtained from <span
- class="fixedwidth">http://wayf.internet2.edu/InQueue/ca-bundle.
+ class="fixed">http://wayf.internet2.edu/InQueue/ca-bundle.
crt</span>. This list should then be copied for <span
- class="fixedwidth">mod_ssl</span>, which will typically need to
+ class="fixed">mod_ssl</span>, which will typically need to
be to <span
- class="fixedwidth">/conf/ssl.crt/ca-bundle.crt</span>. This
+ class="fixed">/conf/ssl.crt/ca-bundle.crt</span>. This
list of CA's is <b>not</b> rigorous nor secure and may contain
CA's which have no level of assurance or are questionable.</p>
</blockquote>
"osu.edu").</li>
<li>Complete URL to access the Shibboleth Handle Service at the site.</li>
<li>The CN (usually the hostname) of the HS's certificate's subject.
- This should also be the value of <span class="fixedwidth">edu.internet2.middleware.shibboleth.hs.
- HandleServlet.issuer</span> in <span class="fixedwidth">origin.properties</span>.</li>
+ This should also be the value of the <span class="fixed">providerID</span> attribute in the main <a href="http://SHIBBOLETHORIGINGUIDEURL#confShibbolethOriginConfig"><span class="fixed">ShibbolethOriginConfig</span></a> element or the InQueue <a href="http://SHIBBOLETHORIGINGUIDEURL#confRelyingParty"><span class="fixed">RelyingParty</span></a> element in <span class="fixed">origin.xml</span>.</li>
+ <li>Complete URL to access the Shibboleth Attribute Authority at the site.</li>
+ <li>The CN (usually the hostname) of the AA's certificate's subject.
+ This should also be the value of the <a href="http://SHIBBOLETHORIGINGUIDEURL#confFileResolver"><span class="fixed">FileResolver</span></a> element pointed to by <span class="fixed">AASigningCredential</span> attribute in the main <a href="http://SHIBBOLETHORIGINGUIDEURL#confShibbolethOriginConfig"><span class="fixed">ShibbolethOriginConfig</span></a> element or the InQueue <a href="http://SHIBBOLETHORIGINGUIDEURL#confRelyingParty"><span class="fixed">RelyingParty</span></a> element in <span class="fixed">origin.xml</span>.</li>
<li>Any shorthand aliases the WAYF should support for the origin
site (e.g., Ohio State, OSU, Buckeyes)</li>
<li>Contact names and addresses for technical and administrative
<li>The name of the organization</li>
<li>Contact names and addresses for both administrative and
technical purposes</li>
+ <li>The URL of all SHIRE services (specified using a shireURL attribute in a <a href="http://SHIBBOLETHTARGETGUIDEURL#confSessions"><span class="fixed">Sessions</span></a> element) set up for this organization.</li>
</ul>
</blockquote>
the following configuration parameters must be entered to ensure
interoperability and compliance with federation guidelines. Consult
the Shibboleth Deploy Guides for further information on these fields
- and on <span class="fixedwidth">origin.properties</span> and <span class="fixedwidth">shibboleth.ini</span>.</p></blockquote>
+ and on <span class="fixed">origin.xml</span> and <span class="fixed">shibboleth.xml</span>.</p></blockquote>
<blockquote><h5>4.a. Origins:</h5>
-
- <dl><dd class="attribute"><span class="fixedwidth">edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName</span>
- </dd><dd class="value"><p>Must be populated with a URI that will
- be assigned by InQueue when you are accepted into the
- federation.</p></dd><dd class="attribute"><span class="fixedwidth">edu.internet2.middleware.shibboleth.audiences</span>
- </dd><dd class="value"><p>This field must contain InQueue's <span class="fixedwidth">urn:mace:inqueue</span> URI, and may contain other federation URIs as well.</p></dd></dl>
+ <p>The following steps must be undertaken to configure a
+ standard Shibboleth origin configuration to use InQueue. Some
+ steps may vary or may be completed already depending on how
+ <span class="fixed">origin.xml</span> has already been
+ modified.</p>
+ <ol>
+ <li><a href="http://SHIBBOLETHORIGINGUIDEURL#confShibbolethOriginConfig"><span class="fixed">ShibbolethOriginConfig</span></a> must be modified as follows:
+ <ul>
+ <li><span class="fixed">providerId</span> must be populated with a URI that will be assigned by InQueue when you are accepted into the federation.</li>
+ <li><span class="fixed">defaultRelyingParty</span> should be changed to <span class="fixed">urn:mace:inqueue</span>.</li>
+ </ul></li>
+ <li>Uncomment the InQueue <a href="http://SHIBBOLETHORIGINGUIDEURL#confRelyingParty"><span class="fixed">RelyingParty</span></a> element, and within it, modify the <span class="fixed">providerId</span> to match the value assigned by InQueue to this origin.</li>
+ <li>A new <a href="http://SHIBBOLETHORIGINGUIDEURL#confKeyStoreResolver"><span class="fixed">KeyStoreResolver</span></a> element must be added pointing to the private key and certificate for use by this origin. See <a href="http://SHIBBOLETHORIGINGUIDEURL#4.b.">section 4.b</a> of the origin deploy guide for further information.</li>
+ <li>Add a <a href="http://SHIBBOLETHORIGINGUIDEURL#confFederationProvider"><span class="fixed">FederationProvider</span></a> element for InQueue as follows:
+ <blockquote><span class="fixed">
+ <FederationProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadataLoadWrapper" uri="/conf/inqueue_sites.xml"/>
+ </span></blockquote></li>
+ </ol>
</blockquote>
<blockquote><h5>4.b. Targets:</h5>
- <dl><dd class="attribute"><span class="fixedwidth">wayfURL</span>
- </dd><dd class="value"><p>This field must be set to InQueue's simple WAYF at <span class="fixedwidth">https://wayf.internet2.edu/InQueue/WAYF</span>.</p></dd><dd class="attribute"><span class="fixedwidth">[policies]</span>
- </dd><dd class="value"><p>This section must contain <span class="fixedwidth">InQueue = urn:mace:inqueue</span>, and may
- contain other federation name/value pairs as well.</p></dd>
- </dl>
+ <p>The following steps must be undertaken to configure a
+ standard Shibboleth origin configuration to use InQueue. Some
+ steps may vary or may be completed already depending on how
+ <span class="fixed">shibboleth.xml</span> has already been
+ modified. This guide covers modification of the default <a
+ href="http://SHIBBOLETHTARGETGUIDEURL#confApplications"><span
+ class="fixed">Applications</span></a> element from localhost
+ operation to InQueue operation for simplicity's sake.</p>
+ <ol>
+ <li>The <span class="fixed">providerId</span> attribute of the <a href="http://SHIBBOLETHTARGETGUIDEURL#confApplications"><span class="fixed">Applications</span></a> element should be changed to the InQueue-assigned value.</li>
+ <li>Ensure that the <a href="http://SHIBBOLETHTARGETGUIDEURL#confSessions"><span class="fixed">Sessions</span></a> element's <span class="fixed">wayfURL</span> is <span class="fixed">https://wayf.internet2.edu/InQueue/WAYF</span>.</li>
+ <li>Uncomment the InQueue <a href="http://SHIBBOLETHTARGETGUIDEURL#confRelyingParty"><span class="fixed">RelyingParty</span></a> element within the <a href="http://SHIBBOLETHTARGETGUIDEURL#confCredentialsUse"><span class="fixed">CredentialsUse</span></a> element.</li>
+ <li>Uncomment the <a href="http://SHIBBOLETHTARGETGUIDEURL#confFileResolver"><span class="fixed">FileResolver</span></a> element with a <span class="fixed">Id</span> of <span class="fixed">inqueuecreds</span>. The key path, key password, and certificate path should be modified to match new credentials generated according to <a href="http://SHIBBOLETHTARGETGUIDEURL#4.c.">section 4.c</a> of the target deploy guide.</li>
+ </ol>
</blockquote>
- <blockquote><h5>4.b.i. Refreshing Federation Metadata:</h5>
- <p>Once your target site is accepted into the InQueue federation, it is necessary that you periodically
- update the target's federation metadata. This metadata includes information used to identify and authenticate
- InQueue sites.</p>
+ <blockquote><h5>4.c. Refreshing Federation Metadata:</h5>
+ <p>Shibboleth 1.2 includes metadata both for origin sites
+ and for target sites. The origin has the <a
+ href="http://SHIBBOLETHORIGINGUIDEURL#4.e."><span
+ class="fixed">metadatatool</span></a> and the target uses
+ the <a href="http://SHIBBOLETHTARGETGUIDEURL#4.g."><span
+ class="fixed">siterefresh</span></a> tool to maintain
+ locally cached versions of various files. Once your site
+ is accepted into the InQueue federation, it is necessary
+ that you periodically update the federation's metadata.
+ This metadata includes information used to identify and
+ authenticate InQueue sites. This should be frequently run
+ by adding it to a <span class="fixed">crontab</span> to
+ ensure that the data is fresh.</p>
<p>InQueue's metadata is digitally signed, so the first step is to obtain the InQueue signing certificate.
- It can be downloaded from <span class="fixedwidth">http://wayf.internet2.edu/InQueue/internet2.pem
+ It can be downloaded from <span class="fixed">http://wayf.internet2.edu/InQueue/internet2.pem
</span> and has a fingerprint of:</p>
- <p><span class="fixedwidth">b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80</span>.</p>
-
- <p>The following commands can be used to obtain the federation's metadata:</p>
- <p><span class="fixedwidth"> $ cd /opt/shibboleth/etc/shibboleth</span></p>
- <p><span class="fixedwidth">$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/sites.xml
- --out sites.xml --cert internet2.pem</span></p>
- <p><span class="fixedwidth">$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/trust.xml
- --out trust.xml --cert internet2.pem</span></p>
+ <p><span class="fixed">b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80</span>.</p>
+
+ <p>The following commands can be used to obtain the federation's metadata for a Shibboleth <b>target</b>:</p>
+ <blockquote><span class="fixed">
+ $ cd /opt/shibboleth/etc/shibboleth<br>
+ $ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/sites.xml --out sites.xml --cert internet2.pem<br>
+ $ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/trust.xml --out trust.xml --cert internet2.pem</span>
+ </blockquote>
+
+ <p>The following commands can be used to obtain the federation's metadata for a Shibboleth <b>origin</b>:</p>
+ <blockquote><span class="fixed">bin/metadatatool -i https://wayf.internet2.edu/InQueue/sites.xml -k conf/internet2.jks -p shib123 -a sitesigner -o /conf/sites.xml
+ </span></blockquote>
</blockquote>
<h4>5. Testing</h4>
- <blockquote><p>A <a href="https://wayf.internet2.edu/shibboleth/sample.jsp">sample shibboleth target</a>
+ <blockquote><p>A <a href="https://wayf.internet2.edu/InQueue/sample.jsp">sample shibboleth target</a>
is available for testing newly installed origin sites. New targets can make use of a sample origin,
which is listed as "Example State University" on the InQueue WAYF ( Username: demo / Password: demo ).</p></blockquote>