1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4 <title>InQueue Federation Policy and Configuration Guidelines</title>
5 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
6 <style type="text/css">
10 background-color: #FFFFFF;
28 background-color: #DDDDDD;
29 background-image: none;
33 border-bottom-width: 2px;
34 border-top-width: 2px;
35 border-left-width: 2px;
36 border-right-width: 2px;
40 background-color: #DDDDDD;
41 background-image: none;
47 background-color: #DDDDDD;
48 background-image: none;
57 background-color: #DDDDDD;
58 border: 1px black inset;
59 background-image: none;
67 background-color: #EEEEEE;
68 background-image: none;
70 padding-bottom: 0.5em;
74 border-bottom-width: none;
75 border-top-width: none;
76 border-left-width: 1px;
77 border-right-width: 1px;
84 background-color: #BCBCEE;
85 border: 1px black inset;
86 background-image: none;
94 background-color: #DDDDFF;
95 background-image: none;
97 padding-bottom: 0.5em;
101 border-bottom-width: none;
102 border-top-width: none;
103 border-left-width: 1px;
104 border-right-width: 1px;
111 background-color: #DDDDDD;
112 border: 1px black inset;
113 background-image: none;
122 background-color: #BCBCEE;
123 border: 1px black inset;
124 background-image: none;
130 background-color: #EEEEEE;
135 font-family: monospace;
140 </style></head><body link="red" vlink="red" alink="black" bgcolor="white">
141 InQueue Federation Policy and Configuration Guidelines<br>
145 <h3>InQueue Federation Policy and Configuration Guidelines</h3>
147 <h4>1. Introduction to InQueue</h4>
149 The InQueue Federation, operated by Internet2, is designed for
150 organizations that are becoming familiar with the Shibboleth software
151 package and the federated trust model. InQueue provides the basic
152 services needed for a federation using Shibboleth:</p>
155 <li>maintenance and distribution of participating site description and
157 <li>a central WAYF ("where are you from") web site;</li>
158 <li>specification of operational procedures and policies, including
159 user data (attribute) definitions; and</li>
160 <li>example target and origin sites with which to test
161 interoperability.</li>
164 <p>Participating in InQueue permits an organization to learn about the
165 Shibboleth software via the experience of multi-party federated access,
166 while integrating its services into the organization's procedures and
169 <p>The InQueue federation is specifically <b>not</b> intended to support
170 production-level end-user access to protected resources. Organizations
171 operating target sites are strongly discouraged from making sensitive or
172 valuable resources available via the Federation.</p>
175 <h4>2. InQueue Policies</h4>
177 <h4>2.1 Participation</h4>
179 <blockquote><p>An organization may join InQueue as an origin, as a
181 Participants are expected to be authorized representatives of
182 their organization. Internet2 reserves the right to make final
183 decisions about participation in the Federation.</p>
185 <p>Participation in the Federation is limited to the period during which
186 an organization is learning about Shibboleth and federated operations. Upon
187 completion of this period, the organization is expected to join a
188 Federation (or some other management solution) that meets its long-term
192 <h4>2.2 Data management</h4>
195 By participating, origins agree that all attributes sent
196 to targets in the Federation to the best of their knowledge accurately
197 represent information about the authenticated individual accessing the
200 <p>Targets agree to dispose of all received
201 attributes properly by not mis-using them, aggregating them, or
202 sharing them with other organizations.</p></blockquote>
204 <h4>2.3 Security management</h4>
206 <blockquote><p>InQueue distributes a set of root certificates for
207 issuers from which server certificates may be obtained to identify
208 InQueue server components.
209 Additionally, sites with certificates not rooted
210 in one of these trusted roots may have these certificates added to the
211 appropriate trust file. Targets must have a certificate signed by an
212 acceptible CA. The list of certificate authorities used by
215 <li><a href="http://www.verisign.com/">Verisign/RSA Secure Server CA</a></li>
216 <li><a href="http://bossie.doit.wisc.edu/cert/i2server">Internet2
217 HEPKI Test CA</a></li>
218 <li><a href="http://www.cren.net/crenca/">CREN CA</a></li>
222 <h4>2.4 Attributes</h4>
223 <blockquote><p>The InQueue
224 Federation specifies a set of attribute definitions to support basic
225 attribute-based authorization.
226 If a Federation member sends or receives an Attribute Assertion
227 containing the InQueue policy uri and referencing one of the listed
229 the syntax and semantics of the associated attribute value should
231 to the definitions specified in the <a href="http://www.educause.edu/eduperson/">EduPerson specification 2002/10</a>
235 <li>eduPersonPrincipalName</li>
236 <li>eduPersonEntitlement</li>
237 <li>eduPersonAffiliation (expressed in a slightly different form via
238 a new attribute called eduPersonScopedAffiliation)</li>
242 <h4>3. Joining InQueue</h4>
244 <blockquote><p>To join InQueue, origins <a href="mailto:shib-support@internet2.edu?subject=Shib%20Origin%20Site%%0D%20%2020Application"> submit a request to
245 shib-support@internet2.edu</a> containing the following
246 information:</p></blockquote>
250 <li>Domain Name of the origin site (e.g., Ohio State's is
252 <li>Complete URL to access the Shibboleth Handle Service at the site.</li>
253 <li>The CN (usually the hostname) of the HS's certificate's subject.
254 This should also be the value of <span class="fixedwidth">edu.internet2.middleware.shibboleth.hs.
255 HandleServlet.issuer</span> in <span class="fixedwidth">origin.properties</span>.</li>
256 <li>Any shorthand aliases the WAYF should support for the origin
257 site (e.g., Ohio State, OSU, Buckeyes)</li>
258 <li>Contact names and addresses for technical and administrative
260 <li>The URL of an error page that users selecting this origin from
261 the WAYF may be referred to by targets if Shibboleth
262 malfunctions. (optional)</li>
263 <li>If the HS's certificate is not issueed by one of the root CAs
265 by InQueue, then it must be submitted in Base64-encoded DER (aka
269 <blockquote><p>To join InQueue, targets must <a href="mailto:shib-support@internet2.edu?subject=Shib%20Target%20Site%%0D%20%2020Application"> submit a basic application to
270 shib-support@internet2.edu</a> containing the following
271 information:</p></blockquote>
275 <li>The name of the organization</li>
276 <li>Contact names and addresses for both administrative and
277 technical purposes</li>
281 <h4>4. Configuration for Using InQueue</h4>
283 <blockquote><p>Once your site is accepted into and added to InQueue,
284 the following configuration parameters must be entered to ensure
285 interoperability and compliance with federation guidelines. Consult
286 the Shibboleth Deploy Guides for further information on these fields
287 and on <span class="fixedwidth">origin.properties</span> and <span class="fixedwidth">shibboleth.ini</span>.</p></blockquote>
289 <blockquote><h5>4.a. Origins:</h5>
291 <dl><dd class="attribute"><span class="fixedwidth">edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName</span>
292 </dd><dd class="value"><p>Must be populated with a URI that will
293 be assigned by InQueue when you are accepted into the
294 federation.</p></dd><dd class="attribute"><span class="fixedwidth">edu.internet2.middleware.shibboleth.audiences</span>
295 </dd><dd class="value"><p>This field must contain InQueue's <span class="fixedwidth">urn:mace:inqueue</span> URI, and may contain other federation URIs as well.</p></dd></dl>
298 <blockquote><h5>4.b. Targets:</h5>
300 <dl><dd class="attribute"><span class="fixedwidth">wayfURL</span>
301 </dd><dd class="value"><p>This field must be set to InQueue's simple WAYF at <span class="fixedwidth">https://wayf.internet2.edu/InQueue/WAYF</span>.</p></dd><dd class="attribute"><span class="fixedwidth">[policies]</span>
302 </dd><dd class="value"><p>This section must contain <span class="fixedwidth">InQueue = urn:mace:inqueue</span>, and may
303 contain other federation name/value pairs as well.</p></dd>
307 <blockquote><h5>4.b.i. Refreshing Federation Metadata:</h5>
308 <p>Once your target site is accepted into the InQueue federation, it is necessary that you periodically
309 update the target's federation metadata. This metadata includes information used to identify and authenticate
312 <p>InQueue's metadata is digitally signed, so the first step is to obtain the InQueue signing certificate.
313 It can be downloaded from <span class="fixedwidth">http://wayf.internet2.edu/InQueue/internet2.pem
314 </span> and has a fingerprint of:</p>
315 <p><span class="fixedwidth">b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80</span>.</p>
317 <p>The following commands can be used to obtain the federation's metadata:</p>
318 <p><span class="fixedwidth"> $ cd /opt/shibboleth/etc/shibboleth</span></p>
319 <p><span class="fixedwidth">$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/sites.xml
320 --out sites.xml --cert internet2.pem</span></p>
321 <p><span class="fixedwidth">$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/trust.xml
322 --out trust.xml --cert internet2.pem</span></p>
326 <blockquote><p>A <a href="https://wayf.internet2.edu/shibboleth/sample.jsp">sample shibboleth target</a>
327 is available for testing newly installed origin sites. New targets can make use of a sample origin,
328 which is listed as "Example State University" on the InQueue WAYF ( Username: demo / Password: demo ).</p></blockquote>