1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4 <title>InQueue Federation Policy and Configuration Guidelines</title>
5 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
6 <style type="text/css">
10 background-color: #FFFFFF;
28 background-color: #DDDDDD;
29 background-image: none;
33 border-bottom-width: 2px;
34 border-top-width: 2px;
35 border-left-width: 2px;
36 border-right-width: 2px;
40 background-color: #DDDDDD;
41 background-image: none;
47 background-color: #DDDDDD;
48 background-image: none;
57 background-color: #DDDDDD;
58 border: 1px black inset;
59 background-image: none;
67 background-color: #EEEEEE;
68 background-image: none;
70 padding-bottom: 0.5em;
74 border-bottom-width: none;
75 border-top-width: none;
76 border-left-width: 1px;
77 border-right-width: 1px;
84 background-color: #BCBCEE;
85 border: 1px black inset;
86 background-image: none;
94 background-color: #DDDDFF;
95 background-image: none;
97 padding-bottom: 0.5em;
101 border-bottom-width: none;
102 border-top-width: none;
103 border-left-width: 1px;
104 border-right-width: 1px;
111 background-color: #DDDDDD;
112 border: 1px black inset;
113 background-image: none;
122 background-color: #BCBCEE;
123 border: 1px black inset;
124 background-image: none;
130 background-color: #EEEEEE;
135 font-family: monospace;
140 </style></head><body link="red" vlink="red" alink="black" bgcolor="white">
141 InQueue Federation Policy and Configuration Guidelines<br>
142 draft-internet2-inqueue-guidelines-02.html<br>
143 Nate Klingenstein<br>
144 RL 'Bob' Morgan<br />
147 <h3>InQueue Federation Policy and Configuration Guidelines</h3>
149 <h4>1. Introduction to InQueue</h4>
151 The InQueue Federation, operated by Internet2, is designed for
152 organizations that are becoming familiar with the Shibboleth software
153 package and the federated trust model. InQueue provides the basic
154 services needed for a federation using Shibboleth:</p>
157 <li>maintenance and distribution of participating site description and
159 <li>a central WAYF ("where are you from") web site;</li>
160 <li>specification of operational procedures and policies, including
161 user data (attribute) definitions; and</li>
162 <li>example target and origin sites with which to test
163 interoperability.</li>
166 <p>Participating in InQueue permits an organization to learn about the
167 Shibboleth software via the experience of multi-party federated access,
168 while integrating its services into the organization's procedures and
171 <p>The InQueue federation is specifically <b>not</b> intended to support
172 production-level end-user access to protected resources. Organizations
173 operating target sites are strongly discouraged from making sensitive or
174 valuable resources available via the Federation.</p>
177 <h4>2. InQueue Policies</h4>
179 <h4>2.1 Participation</h4>
181 <blockquote><p>An organization may join InQueue as an origin, as a
183 Participants are expected to be authorized representatives of
184 their organization. Internet2 reserves the right to make final
185 decisions about participation in the Federation.</p>
187 <p>Participation in the Federation is limited to the period during which
188 an organization is learning about Shibboleth and federated operations. Upon
189 completion of this period, the organization is expected to join a
190 Federation (or some other management solution) that meets its long-term
194 <h4>2.2 Data management</h4>
197 By participating, origins agree that all attributes sent
198 to targets in the Federation to the best of their knowledge accurately
199 represent information about the authenticated individual accessing the
202 <p>Targets agree to dispose of all received
203 attributes properly by not mis-using them, aggregating them, or
204 sharing them with other organizations.</p></blockquote>
206 <h4>2.3 Security management</h4>
208 <blockquote><p>InQueue distributes a set of root certificates for
209 issuers from which server certificates may be obtained to identify
210 InQueue server components.
211 Additionally, sites with certificates not rooted
212 in one of these trusted roots may have these certificates added to the
213 appropriate trust file. Targets must have a certificate signed by an
214 acceptible CA. The list of certificate authorities used by
217 <li><a href="http://www.verisign.com/">Verisign/RSA Secure Server CA</a></li>
218 <li><a href="http://bossie.doit.wisc.edu/cert/i2server">Internet2
219 HEPKI Test CA</a></li>
220 <li><a href="http://www.cren.net/crenca/">CREN CA</a></li>
224 <h4>2.4 Attributes</h4>
225 <blockquote><p>The InQueue
226 Federation specifies a set of attribute definitions to support basic
227 attribute-based authorization.
228 If a Federation member sends or receives an Attribute Assertion
229 containing the InQueue policy uri and referencing one of the listed
231 the syntax and semantics of the associated attribute value should
233 to the definitions specified in the <a href="http://www.educause.edu/eduperson/">EduPerson specification 2002/10</a>
237 <li>eduPersonPrincipalName</li>
238 <li>eduPersonEntitlement</li>
239 <li>eduPersonAffiliation (expressed in a slightly different form via
240 a new attribute called eduPersonScopedAffiliation)</li>
244 <h4>3. Joining InQueue</h4>
246 <blockquote><p>To join InQueue, origins <a href="mailto:shib-support@internet2.edu?subject=Shib%20Origin%20Site%%0D%20%2020Application"> submit a request to
247 shib-support@internet2.edu</a> containing the following
248 information:</p></blockquote>
252 <li>Domain Name of the origin site (e.g., Ohio State's is
254 <li>Complete URL to access the Shibboleth Handle Service at the site.</li>
255 <li>The CN (usually the hostname) of the HS's certificate's subject.
256 This should also be the value of <span class="fixedwidth">edu.internet2.middleware.shibboleth.hs.
257 HandleServlet.issuer</span> in <span class="fixedwidth">origin.properties</span>.</li>
258 <li>Any shorthand aliases the WAYF should support for the origin
259 site (e.g., Ohio State, OSU, Buckeyes)</li>
260 <li>Contact names and addresses for technical and administrative
262 <li>The URL of an error page that users selecting this origin from
263 the WAYF may be referred to by targets if Shibboleth
264 malfunctions. (optional)</li>
265 <li>If the HS's certificate is not issueed by one of the root CAs
267 by InQueue, then it must be submitted in Base64-encoded DER (aka
271 <blockquote><p>To join InQueue, targets must <a href="mailto:shib-support@internet2.edu?subject=Shib%20Target%20Site%%0D%20%2020Application"> submit a basic application to
272 shib-support@internet2.edu</a> containing the following
273 information:</p></blockquote>
277 <li>The name of the organization</li>
278 <li>Contact names and addresses for both administrative and
279 technical purposes</li>
283 <h4>4. Configuration for Using InQueue</h4>
285 <blockquote><p>Once your site is accepted into and added to InQueue,
286 the following configuration parameters must be entered to ensure
287 interoperability and compliance with federation guidelines. Consult
288 the Shibboleth Deploy Guides for further information on these fields
289 and on <span class="fixedwidth">origin.properties</span> and <span class="fixedwidth">shibboleth.ini</span>.</p></blockquote>
291 <blockquote><h5>4.a. Origins:</h5>
293 <dl><dd class="attribute"><span class="fixedwidth">edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName</span>
294 </dd><dd class="value"><p>Must be populated with a URI that will
295 be assigned by InQueue when you are accepted into the
296 federation.</p></dd><dd class="attribute"><span class="fixedwidth">edu.internet2.middleware.shibboleth.audiences</span>
297 </dd><dd class="value"><p>This field must contain InQueue's <span class="fixedwidth">urn:mace:inqueue</span> URI, and may contain other federation URIs as well.</p></dd></dl>
300 <blockquote><h5>4.b. Targets:</h5>
302 <dl><dd class="attribute"><span class="fixedwidth">wayfURL</span>
303 </dd><dd class="value"><p>This field must be set to InQueue's simple WAYF at <span class="fixedwidth">https://wayf.internet2.edu/InQueue/WAYF</span>.</p></dd><dd class="attribute"><span class="fixedwidth">[policies]</span>
304 </dd><dd class="value"><p>This section must contain <span class="fixedwidth">InQueue = urn:mace:inqueue</span>, and may
305 contain other federation name/value pairs as well.</p></dd>
309 <blockquote><h5>4.b.i. Refreshing Federation Metadata:</h5>
310 <p>Once your target site is accepted into the InQueue federation, it is necessary that you periodically
311 update the target's federation metadata. This metadata includes information used to identify and authenticate
314 <p>InQueue's metadata is digitally signed, so the first step is to obtain the InQueue signing certificate.
315 It can be downloaded from <span class="fixedwidth">http://wayf.internet2.edu/InQueue/internet2.pem
316 </span> and has a fingerprint of:</p>
317 <p><span class="fixedwidth">b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80</span>.</p>
319 <p>The following commands can be used to obtain the federation's metadata:</p>
320 <p><span class="fixedwidth"> $ cd /opt/shibboleth/etc/shibboleth</span></p>
321 <p><span class="fixedwidth">$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/sites.xml
322 --out sites.xml --cert internet2.pem</span></p>
323 <p><span class="fixedwidth">$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/trust.xml
324 --out trust.xml --cert internet2.pem</span></p>
328 <blockquote><p>A <a href="https://wayf.internet2.edu/shibboleth/sample.jsp">sample shibboleth target</a>
329 is available for testing newly installed origin sites. New targets can make use of a sample origin,
330 which is listed as "Example State University" on the InQueue WAYF ( Username: demo / Password: demo ).</p></blockquote>