+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html>
- <head>
- <title>InQueue Federation Policy and Configuration Guidelines</title>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
- <style type="text/css">
-
- html
- {
- background-color: #FFFFFF;
- color: #000000;
- margin: .5em;
- }
- a:visited
- {
- color: #999999;
- }
- a:link
- {
- color: #990000;
- }
- a:active
- {
- color: #440000;
- }
- .fixed
- {
- font-family: monospace;
- font-size: 90%;
- font-color: #121212;
- }
-
- </style></head><body link="red" vlink="red" alink="black" bgcolor="white">
- InQueue Federation Policy and Configuration Guidelines<br>
- Version 1.2<br />
- May 19, 2004<br />
-
- <h3>InQueue Federation Policy and Configuration Guidelines</h3>
-
- <h4>1. Introduction to InQueue</h4>
- <blockquote><p>
- The InQueue Federation, operated by Internet2, is designed for
- organizations that are becoming familiar with the Shibboleth
- software package and the federated trust model. It is also
- available as a temporary alternative to sites for which no suitable
- production-level federation exists. InQueue provides the basic
- services needed for a federation using Shibboleth:</p>
-
- <ul>
- <li>maintenance and distribution of participating site description and
- security files;</li>
- <li>a central WAYF ("where are you from") web site;</li>
- <li>specification of operational procedures and policies, including
- user data (attribute) definitions; and</li>
- <li>example target and origin sites with which to test
- interoperability.</li>
- </ul>
-
- <p>Participating in InQueue permits an organization to learn about the
- Shibboleth software via the experience of multi-party federated access,
- while integrating its services into the organization's procedures and
- policies.</p>
-
- <p>The InQueue federation is specifically <b>not</b> intended to support
- production-level end-user access to protected resources. Organizations
- operating target sites are strongly discouraged from making sensitive or
- valuable resources available via the Federation. <b>Specifically, certificate
- authorities with no level of assurance may be used to issue certificates
- to participating sites, and therefore none of the interactions can be
- trusted.</b></p>
- </blockquote>
-
- <h4>2. InQueue Policies</h4>
-
- <h4>2.1 Participation</h4>
-
- <blockquote><p>An organization may join InQueue as an origin, as a
- target, or both.
- Participants are expected to be authorized representatives of
- their organization. Internet2 reserves the right to make final
- decisions about participation in the Federation.</p>
-
- <p>InQueue is intended to serve as a primary federation
- for an organization only during the period an
- organization is learning about Shibboleth and federated
- operations. Upon completion of this period, the
- organization is expected to join a Federation (or some
- other management solution) that meets its long-term
- operational needs. </p>
-
- <p>By joining InQueue, an organization agrees that the
- Federation can list their name on the Federation web
- site as a member of the Federation.</p>
-
- <p>In joining InQueue, an organization will make a good
- faith effort to maintain a web page describing their use
- of Shibboleth. This page will be linked from the
- Federation member list.</p>
-
- </blockquote>
-
- <h4>2.2 Data management</h4>
-
- <blockquote><p>
- By participating, origins agree that all attributes sent
- to targets in the Federation to the best of their knowledge accurately
- represent information about the authenticated individual accessing the
- target resource.</p>
-
- <p>Targets agree to dispose of all received
- attributes properly by not mis-using them, aggregating them, or
- sharing them with other organizations.</p></blockquote>
-
- <h4>2.3 Security management</h4>
-
- <blockquote><p>InQueue distributes a set of root certificates for
- issuers from which server certificates may be obtained to identify
- InQueue server components. Both targets and origins should have a
- certificate obtained from one of the authorities below. Additional
- certificate authorities may be recognized as necessary to support
- use of both free and common commercial certificates for testing.
- The list of certificate authorities used by InQueue is:</p>
- <ul type="circle">
- <li><a href="http://www.verisign.com/">Verisign/RSA Secure Server CA</a></li>
- <li><a href="http://bossie.doit.wisc.edu/cert/i2server">Internet2
- HEPKI Test CA</a></li>
- <li><a href="http://www.cren.net/crenca/">CREN CA</a></li>
- <li><a href="http://www.thawte.com/ssl/index.html">Thawte Server & Premium Server CA's</a></li>
- <li><a href="http://www.incommonfederation.org/">InCommon CA</a></li>
- </ul>
-
- </blockquote>
-
- <h4>2.4 Attributes</h4>
- <blockquote><p>The InQueue
- Federation specifies a set of attribute definitions to support basic
- attribute-based authorization.</p>
- <ol>
- <li>Attribute assertions issued or received by InQueue members including eduPerson attributes should conform to the syntax and semantics defined by the <a href="http://www.educause.edu/eduperson/">eduPerson 2003/12</a> specification.
-
- <ul type="circle">
- <li>urn:mace:dir:attribute-def:eduPersonEntitlement</li>
- <li>urn:mace:dir:attribute-def:eduPersonPrincipalName</li>
- <li>urn:mace:dir:attribute-def:eduPersonScopedAffiliation</li>
- </ul></li>
- <li>If a Federation member sends or receives an Attribute Assertion
- containing the InQueue policy uri and referencing one of the listed
- attributes,
- the syntax and semantics of the associated attribute value should
- conform
- to the definitions specified in the relevant <a href="http://www/ietf.org">IETF</a> RFCs.
-
- <ul type="circle">
- <li>cn
- <li>sn
- <li>telephoneNumber
- <li>title
- <li>initials
- <li>description
- <li>carLicense
- <li>departmentNumber
- <li>displayName
- <li>employeeNumber
- <li>employeeType
- <li>preferredLanguage
- <li>manager
- <li>roomNumber
- <li>seeAlso
- <li>facsimileTelephoneNumber
- <li>street
- <li>postOfficeBox
- <li>postalCode
- <li>st
- <li>givenName
- <li>l
- <li>businessCategory
- <li>ou
- <li>physicalDeliveryOfficeName
- </ul>
- <li>If a Federation member sends or receives an eduPersonEntitlement Attribute Assertion
- containing the InQueue policy uri and containing one of the listed
- values,
- the syntax and semantics of the associated attribute value should
- conform
- to these definitions
-
- <ul type="circle">
- <li>urn:mace:incommon:entitlement:common:1
- <p>The person possesses an eduPersonAffiliation value of faculty, staff, or student, or qualifies as a "library walk-in".
-
- </ul>
- </ol>
- </blockquote>
-
- <h4>3. Joining InQueue</h4>
-
- <blockquote><p>To join InQueue, origins <a href="mailto:inqueue-support@internet2.edu?subject=Shib%20Origin%20Site%%0D%20%2020Application"> submit a request to
- inqueue-support@internet2.edu</a> containing the following
- information:</p></blockquote>
-
- <blockquote>
- <ul type="circle">
- <li>Domain Name of the origin site (e.g., Ohio State's is
- "osu.edu").</li>
- <li>Complete URL to access the Shibboleth Handle Service at
- the site.</li>
- <li>The CN (usually the hostname) or the full subject of the
- HS's certificate's subject. If the certificate is readable
- by OpenSSL (not keytool), this value can be obtained using
- the following command:
- <blockquote><span class="fixed">
- $ openssl x509 -in <file> -subject -nameopt rfc2253
- </span></blockquote></li>
- <li>Complete URL to access the Shibboleth Attribute Authority at the site.</li>
- <li>Any shorthand aliases the WAYF should support for the origin
- site (e.g., Ohio State, OSU, Buckeyes)</li>
- <li>Contact names and e-mail addresses for technical and
- administrative issues.</li>
- <li>The URL of an error page that users selecting this
- origin from the WAYF may be referred to by targets if there
- is a problem encountered by the target, such as incorrect
- attributes leading to an access failure. (optional)</li>
- <li>(optional) Briefly describe the organization's planned
- uses of Shibboleth.
- </ul></blockquote>
-
- <blockquote><p>To join InQueue, targets must <a href="mailto:inqueue-support@internet2.edu?subject=Shib%20Target%20Site%%0D%20%2020Application"> submit a basic application to
- inqueue-support@internet2.edu</a> containing the following
- information:</p></blockquote>
-
- <blockquote>
- <ul type="circle">
- <li>The name of the organization</li>
- <li>Contact names and e-mail addresses for techincal and
- administrative issues.</li>
- <li>The CN (usually the hostname) or the full subject of the
- SHAR's certificate's subject. If the certificate is readable
- by OpenSSL (not keytool), this value can be obtained using
- the following command:
- <blockquote><span class="fixed">
- $ openssl x509 -in <file> -subject -nameopt rfc2253
- </span></blockquote></li>
- <li>The URL of all SHIRE locations (specified using a
- <span class="fixed">shireURL</span> attribute in a <a
- href="http://SHIBBOLETHTARGETGUIDEURL#confSessions"><span
- class="fixed">Sessions</span></a> element) set up for this
- organization, e.g. <span
- class="fixed">https://example.org/Shibboleth.shire</span>.
- Note that the assumption is that access will only occur over
- the protocol specified by the SHIRE URL submitted (<span
- class="fixed">https</span> or <span
- class="fixed">http</span>); if there is a desire to listen
- on both ports, this should be noted in the application.</li>
- </ul>
- </blockquote>
-
- <h4>4. Configuration for Using InQueue</h4>
-
- <blockquote><p>Once your site is accepted into and added to InQueue,
- the following configuration parameters must be entered to ensure
- interoperability and compliance with federation guidelines. Consult
- the Shibboleth Deploy Guides for further information on these fields
- and on <span class="fixed">origin.xml</span> and <span class="fixed">shibboleth.xml</span>.</p></blockquote>
-
- <blockquote><h5>4.a. Origins:</h5>
- <p>The following steps must be undertaken to configure a
- standard Shibboleth origin configuration to use InQueue. Some
- steps may vary or may be completed already depending on how
- <span class="fixed">origin.xml</span> has already been
- modified.</p>
- <ol>
- <li><a href="http://SHIBBOLETHORIGINGUIDEURL#confShibbolethOriginConfig"><span class="fixed">ShibbolethOriginConfig</span></a> must be modified as follows:
- <ul>
- <li><span class="fixed">providerId</span> must be
- populated with a URI that will be assigned by InQueue
- when you are accepted into the federation.</li>
- <li><span class="fixed">defaultRelyingParty</span>
- should be changed to <span
- class="fixed">urn:mace:inqueue</span>.</li>
- <li>Ensure that <span class="fixed">AAUrl</span> has
- been changed to reflect the value sent in with the
- application.</li>
- </ul></li>
- <li>Uncomment the InQueue <a href="http://SHIBBOLETHORIGINGUIDEURL#confRelyingParty"><span class="fixed">RelyingParty</span></a> element. If the default <span class="fixed">providerId</span> as specified in <a href="http://SHIBBOLETHORIGINGUIDEURL#confShibbolethOriginConfig"><span class="fixed">ShibbolethOriginConfig</span></a> is not the one supplied by InQueue, modify the <span class="fixed">providerId</span> to match the value assigned by InQueue to this origin.</li>
- <li>A new <a href="http://SHIBBOLETHORIGINGUIDEURL#confKeyStoreResolver"><span class="fixed">KeyStoreResolver</span></a> or <a href="http://SHIBBOLETHORIGINGUIDEURL#confFileResolver"><span class="fixed">FileResolver</span></a> element must be added pointing to the private key and certificate for use by this origin. See <a href="http://SHIBBOLETHORIGINGUIDEURL#4.b.">section 4.b</a> of the origin deploy guide for further information.</li>
- <li>Uncomment the <a href="http://SHIBBOLETHORIGINGUIDEURL#confFederationProvider"><span class="fixed">FederationProvider</span></a> element for InQueue.</li>
- <li>OpenSSL must also be configured to use the
- appropriate set of trusted roots for the issuance of SSL
- certificates that Shibboleth trusts. For InQueue, this list may
- be obtained from <span
- class="fixed">http://wayf.internet2.edu/InQueue/ca-bundle.crt</span>.
- This list should then be copied for <span
- class="fixed">mod_ssl</span>, which will typically need to
- be to <span
- class="fixed">/conf/ssl.crt/ca-bundle.crt</span>. This
- list of CA's is <b>not</b> rigorous nor secure and may contain
- CA's which have no level of assurance or are questionable.</li>
- </ol>
- </blockquote>
-
- <blockquote><h5>4.b. Targets:</h5>
-
- <p>The following steps must be undertaken to configure a
- standard Shibboleth target configuration to use InQueue. Some
- steps may vary or may be completed already depending on how
- <span class="fixed">shibboleth.xml</span> has already been
- modified. This guide covers modification of the default <a
- href="http://SHIBBOLETHTARGETGUIDEURL#confApplications"><span
- class="fixed">Applications</span></a> element from localhost
- operation to InQueue operation for simplicity's sake.</p>
- <ol>
- <li>The <span class="fixed">providerId</span> attribute of the <a href="http://SHIBBOLETHTARGETGUIDEURL#confApplications"><span class="fixed">Applications</span></a> element should be changed to the InQueue-assigned value.</li>
- <li>Ensure that the <a href="http://SHIBBOLETHTARGETGUIDEURL#confSessions"><span class="fixed">Sessions</span></a> element's <span class="fixed">wayfURL</span> is <span class="fixed">https://wayf.internet2.edu/InQueue/WAYF</span>.</li>
- <li>Uncomment the InQueue <a href="http://SHIBBOLETHTARGETGUIDEURL#confRelyingParty"><span class="fixed">RelyingParty</span></a> element within the <a href="http://SHIBBOLETHTARGETGUIDEURL#confCredentialsUse"><span class="fixed">CredentialsUse</span></a> element.</li>
- <li>Uncomment the <a href="http://SHIBBOLETHTARGETGUIDEURL#confFileResolver"><span class="fixed">FileResolver</span></a> element with a <span class="fixed">Id</span> of <span class="fixed">inqueuecreds</span>. The key path, key password, and certificate path should be modified to match new credentials generated according to <a href="http://SHIBBOLETHTARGETGUIDEURL#4.c.">section 4.c</a> of the target deploy guide.</li>
- </ol>
- </blockquote>
-
- <blockquote><h5>4.c. Refreshing Federation Metadata:</h5>
- <p>Shibboleth 1.2 includes new metadata both for origin sites
- and for target sites. The origin has the <a
- href="http://SHIBBOLETHORIGINGUIDEURL#4.e."><span
- class="fixed">metadatatool</span></a> and the target uses
- the <a href="http://SHIBBOLETHTARGETGUIDEURL#4.g."><span
- class="fixed">siterefresh</span></a> tool to maintain
- locally cached versions of various files. Once your site
- is accepted into the InQueue federation, it is necessary
- that you periodically update the federation's metadata.
- This metadata includes information used to identify and
- authenticate InQueue sites. This should be frequently run
- by adding it to a <span class="fixed">crontab</span> to
- ensure that the data is fresh.</p>
-
- <p>InQueue's metadata is digitally signed, so the first step is to obtain the InQueue signing certificate.
- It can be downloaded from <span class="fixed">http://wayf.internet2.edu/InQueue/inqueue.pem
- </span> and has a fingerprint of:</p>
- <p><span class="fixed">b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80</span>.</p>
-
- <p>The following commands can be used to obtain the federation's metadata for a Shibboleth 1.2 <b>target</b>:</p>
- <blockquote><span class="fixed">
- $ cd /opt/shibboleth/etc/shibboleth<br>
- $ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/IQ-sites.xml --out IQ-sites.xml --cert inqueue.pem<br>
- $ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/IQ-trust.xml --out IQ-trust.xml --cert inqueue.pem</span>
- </blockquote>
-
- <p>The origin metadatatool's operation is greatly simplified
- if a keystore file is downloaded from <span
- class="fixed">https://wayf.internet2.edu/InQueue/inqueue.jks</span>
- and placed in the same directory as <span
- class="fixed">metadatatool</span>. After this has been
- done, the following commands can be used to obtain the
- federation's metadata for a Shibboleth <b>origin</b>:</p>
- <blockquote><span class="fixed">metadatatool -i http://wayf.internet2.edu/InQueue/IQ-sites.xml -o IQ-sites.xml -k inqueue.jks -a inqueue
- </span></blockquote>
- </blockquote>
-
- <h4>5. Testing</h4>
- <blockquote><p>A <a href="https://wayf.internet2.edu/InQueue/sample.jsp">sample shibboleth target</a>
- is available for testing newly installed origin sites. New targets can make use of a sample origin,
- which is listed as "Example State University" on the InQueue WAYF ( Username: demo / Password: demo ).</p></blockquote>
- </body>
-</html>
\ No newline at end of file
projects / java-idp.git / commitdiff