Updates to 1.2; new information requirements, configuration changes, and URL's.
authorndk <ndk@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 19 May 2004 04:41:22 +0000 (04:41 +0000)
committerndk <ndk@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 19 May 2004 04:41:22 +0000 (04:41 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1055 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

doc/InQueue.html

index 4720ec5..3215f3b 100644 (file)
                                background-color: #EEEEEE;
                                padding: 3px;
                        }
-                       .fixedwidth
+                       .fixed
                        {
                                font-family: monospace;
                                font-size: 90%;
 
                </style></head><body link="red" vlink="red" alink="black" bgcolor="white">
                InQueue Federation Policy and Configuration Guidelines<br>
-               Version 1.1<br />
-               August 4, 2003<br />
+               Version 1.2<br />
+               May 17, 2004<br />
 
                <h3>InQueue Federation Policy and Configuration Guidelines</h3>
 
                                appropriate set of trusted roots for the issuance of SSL
                                certificates that Shibboleth trusts.  For InQueue, this list may
                                be obtained from <span
-                               class="fixedwidth">http://wayf.internet2.edu/InQueue/ca-bundle.
+                               class="fixed">http://wayf.internet2.edu/InQueue/ca-bundle.
                                crt</span>.  This list should then be copied for <span
-                               class="fixedwidth">mod_ssl</span>, which will typically need to
+                               class="fixed">mod_ssl</span>, which will typically need to
                                be to <span
-                               class="fixedwidth">/conf/ssl.crt/ca-bundle.crt</span>.  This
+                               class="fixed">/conf/ssl.crt/ca-bundle.crt</span>.  This
                                list of CA's is <b>not</b> rigorous nor secure and may contain
                                CA's which have no level of assurance or are questionable.</p>
                        </blockquote>
                                        "osu.edu").</li>
                                        <li>Complete URL to access the Shibboleth Handle Service at the site.</li>
                                        <li>The CN (usually the hostname) of the HS's certificate's subject.
-                                       This should also be the value of <span class="fixedwidth">edu.internet2.middleware.shibboleth.hs.
-                                               HandleServlet.issuer</span> in <span class="fixedwidth">origin.properties</span>.</li>
+                                       This should also be the value of the <span class="fixed">providerID</span> attribute in the main <a href="http://SHIBBOLETHORIGINGUIDEURL#confShibbolethOriginConfig"><span class="fixed">ShibbolethOriginConfig</span></a> element or the InQueue <a href="http://SHIBBOLETHORIGINGUIDEURL#confRelyingParty"><span class="fixed">RelyingParty</span></a> element in <span class="fixed">origin.xml</span>.</li>
+                                       <li>Complete URL to access the Shibboleth Attribute Authority at the site.</li>
+                                       <li>The CN (usually the hostname) of the AA's certificate's subject.
+                                       This should also be the value of the <a href="http://SHIBBOLETHORIGINGUIDEURL#confFileResolver"><span class="fixed">FileResolver</span></a> element pointed to by <span class="fixed">AASigningCredential</span> attribute in the main <a href="http://SHIBBOLETHORIGINGUIDEURL#confShibbolethOriginConfig"><span class="fixed">ShibbolethOriginConfig</span></a> element or the InQueue <a href="http://SHIBBOLETHORIGINGUIDEURL#confRelyingParty"><span class="fixed">RelyingParty</span></a> element in <span class="fixed">origin.xml</span>.</li>
                                        <li>Any shorthand aliases the WAYF should support for the origin
                                        site (e.g., Ohio State, OSU, Buckeyes)</li>
                                        <li>Contact names and addresses for technical and administrative
                                        <li>The name of the organization</li>
                                        <li>Contact names and addresses for both administrative and
                                        technical purposes</li>
+                                       <li>The URL of all SHIRE services (specified using a shireURL attribute in a <a href="http://SHIBBOLETHTARGETGUIDEURL#confSessions"><span class="fixed">Sessions</span></a> element) set up for this organization.</li>
                                </ul>
                        </blockquote>
 
                                the following configuration parameters must be entered to ensure
                                interoperability and compliance with federation guidelines.  Consult
                                the Shibboleth Deploy Guides for further information on these fields
-                               and on <span class="fixedwidth">origin.properties</span> and <span class="fixedwidth">shibboleth.ini</span>.</p></blockquote>
+                               and on <span class="fixed">origin.xml</span> and <span class="fixed">shibboleth.xml</span>.</p></blockquote>
 
                        <blockquote><h5>4.a. Origins:</h5>
-
-                               <dl><dd class="attribute"><span class="fixedwidth">edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName</span>
-                                       </dd><dd class="value"><p>Must be populated with a URI that will
-                                       be assigned by InQueue when you are accepted into the
-                                       federation.</p></dd><dd class="attribute"><span class="fixedwidth">edu.internet2.middleware.shibboleth.audiences</span>
-                                       </dd><dd class="value"><p>This field must contain InQueue's <span class="fixedwidth">urn:mace:inqueue</span> URI, and may contain other federation URIs as well.</p></dd></dl>
+                               <p>The following steps must be undertaken to configure a
+                               standard Shibboleth origin configuration to use InQueue.  Some
+                               steps may vary or may be completed already depending on how
+                               <span class="fixed">origin.xml</span> has already been
+                               modified.</p>
+                               <ol>
+                                       <li><a href="http://SHIBBOLETHORIGINGUIDEURL#confShibbolethOriginConfig"><span class="fixed">ShibbolethOriginConfig</span></a> must be modified as follows:
+                                       <ul>
+                                               <li><span class="fixed">providerId</span> must be populated with a URI that will be assigned by InQueue when you are accepted into the federation.</li>
+                                               <li><span class="fixed">defaultRelyingParty</span> should be changed to <span class="fixed">urn:mace:inqueue</span>.</li>
+                                       </ul></li>
+                                       <li>Uncomment the InQueue <a href="http://SHIBBOLETHORIGINGUIDEURL#confRelyingParty"><span class="fixed">RelyingParty</span></a> element, and within it, modify the <span class="fixed">providerId</span> to match the value assigned by InQueue to this origin.</li>
+                                       <li>A new <a href="http://SHIBBOLETHORIGINGUIDEURL#confKeyStoreResolver"><span class="fixed">KeyStoreResolver</span></a> element must be added pointing to the private key and certificate for use by this origin.  See <a href="http://SHIBBOLETHORIGINGUIDEURL#4.b.">section 4.b</a> of the origin deploy guide for further information.</li>
+                                       <li>Add a <a href="http://SHIBBOLETHORIGINGUIDEURL#confFederationProvider"><span class="fixed">FederationProvider</span></a> element for InQueue as follows:
+                                       <blockquote><span class="fixed">
+                                               &lt;FederationProvider type=&quot;edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadataLoadWrapper&quot; uri=&quot;/conf/inqueue_sites.xml&quot;/&gt;
+                                       </span></blockquote></li>
+                               </ol>
                                </blockquote>
 
                                <blockquote><h5>4.b. Targets:</h5>
 
-                                       <dl><dd class="attribute"><span class="fixedwidth">wayfURL</span>
-                                               </dd><dd class="value"><p>This field must be set to InQueue's simple WAYF at <span class="fixedwidth">https://wayf.internet2.edu/InQueue/WAYF</span>.</p></dd><dd class="attribute"><span class="fixedwidth">[policies]</span>
-                                               </dd><dd class="value"><p>This section must contain <span class="fixedwidth">InQueue = urn:mace:inqueue</span>, and may
-                                               contain other federation name/value pairs as well.</p></dd>
-                                       </dl>
+                               <p>The following steps must be undertaken to configure a
+                               standard Shibboleth origin configuration to use InQueue.  Some
+                               steps may vary or may be completed already depending on how
+                               <span class="fixed">shibboleth.xml</span> has already been
+                               modified.  This guide covers modification of the default <a
+                               href="http://SHIBBOLETHTARGETGUIDEURL#confApplications"><span
+                               class="fixed">Applications</span></a> element from localhost
+                               operation to InQueue operation for simplicity's sake.</p>
+                               <ol>
+                                       <li>The <span class="fixed">providerId</span> attribute of the <a href="http://SHIBBOLETHTARGETGUIDEURL#confApplications"><span class="fixed">Applications</span></a> element should be changed to the InQueue-assigned value.</li>
+                                       <li>Ensure that the <a href="http://SHIBBOLETHTARGETGUIDEURL#confSessions"><span class="fixed">Sessions</span></a> element's <span class="fixed">wayfURL</span> is <span class="fixed">https://wayf.internet2.edu/InQueue/WAYF</span>.</li>
+                                       <li>Uncomment the InQueue <a href="http://SHIBBOLETHTARGETGUIDEURL#confRelyingParty"><span class="fixed">RelyingParty</span></a> element within the <a href="http://SHIBBOLETHTARGETGUIDEURL#confCredentialsUse"><span class="fixed">CredentialsUse</span></a> element.</li>
+                                       <li>Uncomment the <a href="http://SHIBBOLETHTARGETGUIDEURL#confFileResolver"><span class="fixed">FileResolver</span></a> element with a <span class="fixed">Id</span> of <span class="fixed">inqueuecreds</span>.  The key path, key password, and certificate path should be modified to match new credentials generated according to <a href="http://SHIBBOLETHTARGETGUIDEURL#4.c.">section 4.c</a> of the target deploy guide.</li>
+                               </ol>
                                </blockquote>
 
-                               <blockquote><h5>4.b.i. Refreshing Federation Metadata:</h5>
-                                       <p>Once your target site is accepted into the InQueue federation, it is necessary that you periodically
-                                       update the target's federation metadata.  This metadata includes information used to identify and authenticate
-                                       InQueue sites.</p>
+                               <blockquote><h5>4.c. Refreshing Federation Metadata:</h5>
+                                       <p>Shibboleth 1.2 includes metadata both for origin sites
+                                       and for target sites.  The origin has the <a
+                                       href="http://SHIBBOLETHORIGINGUIDEURL#4.e."><span
+                                       class="fixed">metadatatool</span></a> and the target uses
+                                       the <a href="http://SHIBBOLETHTARGETGUIDEURL#4.g."><span
+                                       class="fixed">siterefresh</span></a> tool to maintain
+                                       locally cached versions of various files.   Once your site
+                                       is accepted into the InQueue federation, it is necessary
+                                       that you periodically update the federation's metadata. 
+                                       This metadata includes information used to identify and
+                                       authenticate InQueue sites.  This should be frequently run
+                                       by adding it to a <span class="fixed">crontab</span> to
+                                       ensure that the data is fresh.</p>
                                        
                                        <p>InQueue's metadata is digitally signed, so the first step is to obtain the InQueue signing certificate.  
-                                       It can be downloaded from <span class="fixedwidth">http://wayf.internet2.edu/InQueue/internet2.pem
+                                       It can be downloaded from <span class="fixed">http://wayf.internet2.edu/InQueue/internet2.pem
                                        </span> and has a fingerprint of:</p>
-                                       <p><span class="fixedwidth">b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80</span>.</p>
-
-                                       <p>The following commands can be used to obtain the federation's metadata:</p>
-                                       <p><span class="fixedwidth"> $ cd /opt/shibboleth/etc/shibboleth</span></p>
-                                       <p><span class="fixedwidth">$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/sites.xml
-                                               --out sites.xml --cert internet2.pem</span></p>
-                                               <p><span class="fixedwidth">$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/trust.xml 
-                                                       --out trust.xml --cert internet2.pem</span></p>
+                                       <p><span class="fixed">b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80</span>.</p>
+
+                                       <p>The following commands can be used to obtain the federation's metadata for a Shibboleth <b>target</b>:</p>
+                                       <blockquote><span class="fixed">
+                                       $ cd /opt/shibboleth/etc/shibboleth<br>
+                    $ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/sites.xml --out sites.xml --cert internet2.pem<br>
+                                       $ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/trust.xml --out trust.xml --cert internet2.pem</span>
+                                       </blockquote>
+
+                                       <p>The following commands can be used to obtain the federation's metadata for a Shibboleth <b>origin</b>:</p>
+                                       <blockquote><span class="fixed">bin/metadatatool -i https://wayf.internet2.edu/InQueue/sites.xml -k conf/internet2.jks -p shib123 -a sitesigner -o /conf/sites.xml
+                                       </span></blockquote>
                                </blockquote>
 
                                <h4>5.  Testing</h4>
-                               <blockquote><p>A <a href="https://wayf.internet2.edu/shibboleth/sample.jsp">sample shibboleth target</a>
+                               <blockquote><p>A <a href="https://wayf.internet2.edu/InQueue/sample.jsp">sample shibboleth target</a>
                                        is available for testing newly installed origin sites.  New targets can make use of a sample origin, 
                                        which is listed as "Example State University" on the InQueue WAYF ( Username: demo / Password: demo ).</p></blockquote>