1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head>
2 <meta name="generator" content="HTML Tidy for Mac OS X (vers 1st January 2002), see www.w3.org">
3 <title>InQueue Federation Interim Configuration and Policy Guidelines</title>
6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
7 <style type="text/css">
11 background-color: #FFFFFF;
29 background-color: #DDDDDD;
30 background-image: none;
34 border-bottom-width: 2px;
35 border-top-width: 2px;
36 border-left-width: 2px;
37 border-right-width: 2px;
41 background-color: #DDDDDD;
42 background-image: none;
48 background-color: #DDDDDD;
49 background-image: none;
58 background-color: #DDDDDD;
59 border: 1px black inset;
60 background-image: none;
68 background-color: #EEEEEE;
69 background-image: none;
71 padding-bottom: 0.5em;
75 border-bottom-width: none;
76 border-top-width: none;
77 border-left-width: 1px;
78 border-right-width: 1px;
85 background-color: #BCBCEE;
86 border: 1px black inset;
87 background-image: none;
95 background-color: #DDDDFF;
96 background-image: none;
98 padding-bottom: 0.5em;
102 border-bottom-width: none;
103 border-top-width: none;
104 border-left-width: 1px;
105 border-right-width: 1px;
112 background-color: #DDDDDD;
113 border: 1px black inset;
114 background-image: none;
123 background-color: #BCBCEE;
124 border: 1px black inset;
125 background-image: none;
131 background-color: #EEEEEE;
136 font-family: monospace;
144 <body link="red" vlink="red" alink="black" bgcolor="white">
145 InQueue Configuration and Policy Guidelines<br>
146 draft-internet2-inqueue-guidelines-01.html<br>
147 Nate Klingenstein<br>
149 Comments should be directed to <a href="mailto:ndk@internet2.edu">ndk@internet2.edu</a>.<br>
151 <h3>InQueue Federation Interim Configuration and Policy Guidelines</h3>
153 <h5>These are interim guidelines intended to allow InQueue to operate as
154 a federation before full production requirements are known.</h5>
156 <h4>1. Introduction to InQueue</h4>
157 <blockquote><p>InQueue is a simple federation designed to support
158 interoperability between origin and target sites as organizations
159 become familiarized with Shibboleth and the federated trust model. It
160 will provide basic federated services including maintenance of a WAYF
161 and trust and metadata files. It will give a best effort to ensuring
162 that all sites admitted are representative of their organizations. It
163 will define a basic set of attributes to aid
164 interoperability.</p></blockquote>
166 <blockquote><p>InQueue is not intended to be a production federation,
167 and organizations will be expected to progress from InQueue to an
168 appropriate federation. Using InQueue for production services is not
169 advised due to the lack of a formal application and membership
170 process, and the lowered level of assurance that a site is indeed
171 representative of a community this brings. Additionally, InQueue
172 recognizes many CA's, some of which do not maintain a CP/CPS or
173 rigorous issuance standards.</p></blockquote>
175 <h4>2. Joining InQueue</h4>
176 <blockquote><p>Sites may join InQueue as an origin, as a target, or
177 submit both sets of information to join as both a target and an
178 origin. Origins must assert before joining that all attributes sent
179 to targets in the federation to the best of their knowledge accurately
180 represent information about the authenticated individual accessing the
181 target resource. Targets must agree to dispose of all received
182 attributes properly by not mis-using them, aggregating them, or
183 sharing them with other organizations.</p></blockquote>
185 <blockquote><p>InQueue will distribute a set of trusted CA roots from
186 whom certificates for architectural components are acceptible for
187 InQueue membership. Additionally, sites with certificates not rooted
188 in one of these trusted roots may have these certificates added to the
189 appropriate trust file. Targets must have a certificate signed by an
190 acceptible CA. The list of certificate authorities recognized by
191 InQueue is:</p></blockquote>
193 <li><a href="http://www.verisign.com/">Verisign/RSA Secure Server CA</a></li>
194 <li><a href="http://www.europki.org/ca/root/">EuroPKI CA</a></li>
195 <li><a href="http://bossie.doit.wisc.edu/cert/i2server">University of Wisconsin Bossie Test CA</a> *</li>
198 <h5>* The certificates issued by this CA will expire
199 fairly quickly and should only be used for testing.</h5>
202 <blockquote><p>To join InQueue, origins must <a href="mailto:shib-support@internet2.edu?subject=Shib%20Origin%20Site%%0D%20%2020Application"> submit a basic application to
203 shib-support@internet2.edu</a> containing the following
204 information:</p></blockquote>
207 <li>Domain Name of the origin site (e.g., Ohio State's is
209 <li>Complete URL to access the HS.</li>
210 <li>The CN (usually the hostname) of the HS's certificate's subject.
211 This should also be the value of <span class="fixedwidth">edu.internet2.middleware.shibboleth.hs.
212 HandleServlet.issuer</span> in <span class="fixedwidth">origin.properties</span>.</li>
213 <li>Any shorthand aliases the WAYF should support for the origin
214 site (e.g., Ohio State, OSU, Buckeyes)</li>
215 <li>Contact names and addresses for technical and administrative
217 <li>The URL of an error page that users selecting this origin from
218 the WAYF may be referred to by targets if Shibboleth
219 malfunctions. (optional)</li>
220 <li>If HS' certificate is not signed by one of the root CA's recognized
221 by InQueue, then it must be submitted in Base64-encoded DER format.</li>
224 <blockquote><p>To join InQueue, targets must <a href="mailto:shib-support@internet2.edu?subject=Shib%20Target%20Site%%0D%20%2020Application"> submit a basic application to
225 shib-support@internet2.edu</a> containing the following
226 information:</p></blockquote>
229 <li>The name of the organization</li>
230 <li>Contact names and addresses for both administrative and
231 technical purposes</li>
234 <h4>3. Configuration for Using InQueue</h4>
236 <blockquote><p>Once your site is accepted into and added to InQueue,
237 the following configuration parameters must be entered to ensure
238 interoperability and compliance with federation guidelines. Consult
239 the Shibboleth Deploy Guides for further information on these fields
240 and on <span class="fixedwidth">origin.properties</span> and <span class="fixedwidth">shibboleth.ini</span>.</p></blockquote>
242 <blockquote><p>Origins:</p>
244 <dl><dd class="attributelong"><span class="fixedwidth">edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName</span>
245 </dd><dd class="value"><p>Must be populated with a URI that will
246 be assigned by InQueue when you are accepted into the
247 federation.</p></dd><dd class="attribute"><span class="fixedwidth">edu.internet2.middleware.shibboleth.audiences</span>
248 </dd><dd class="value"><p>This field must contain InQueue's <span class="fixedwidth">urn:mace:inqueue</span> URI, and may contain other federation URIs as well.</p></dd></dl>
251 <blockquote><p>Targets:</p>
253 <dl><dd class="attribute"><span class="fixedwidth">wayfURL</span>
254 </dd><dd class="value"><p>This field must be set to InQueue's simple WAYF at <span class="fixedwidth">https://wayf.internet2.edu/InQueue/WAYF</span>.</p></dd><dd class="attribute"><span class="fixedwidth">[policies]</span>
255 </dd><dd class="value"><p>This section must contain <span class="fixedwidth">InQueue = urn:mace:inqueue</span>, and may
256 contain other federation name/value pairs as well.</p></dd><dd class="attribute"><span class="fixedwidth">siterefresh</span>
257 </dd><dd class="value"><p>The URL for the <span class="fixedwidth">metadata.xml</span> file for InQueue is <span class="fixedwidth">http://wayf.internet2.edu/InQueue/sites.xml</span>.
258 The URL for the <span class="fixedwidth">trust.xml</span>
259 file for InQueue is <span class="fixedwidth">http://wayf.internet2.edu/InQueue/trust.xml</span>.
260 The signing certificate used for these files may be found at
261 <span class="fixedwidth">http://wayf.internet2.edu/InQueue/internet2.pem
262 </span> and has the fingerprint <span class="fixedwidth">b4 42 6c 1e
263 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80</span>.</p></dd></dl>
266 <h4>4. Attributes</h4>
267 <blockquote><p>In order to facilitate basic interoperability, the InQueue
268 Federation is promulgating a set of Attribute definitions for use by its
269 members. If a Federation member sends or receives an Attribute Assertion
270 containing the InQueue policy uri and referencing one of the listed attributes,
271 then the syntax and semantics of the associated attribute value MUST conform
272 to the definitions specified in the <a href="http://www.educause.edu/eduperson/">EduPerson specification 2002/10</a>
276 <li>urn:mace:dir:attribute-def:eduPersonAffiliation</li>
277 <li>urn:mace:dir:attribute-def:eduPersonPrincipalName</li>
280 <h4>5. Sample Target</h4>
281 <blockquote><p>A <a href="https://wayf.internet2.edu/shibboleth/sample.jsp">sample shibboleth target</a>
282 is available for testing newly installed origin sites.</p></blockquote>