From: cantor Date: Sun, 22 May 2005 20:36:42 +0000 (+0000) Subject: Updated for upcoming release. X-Git-Tag: 2.4~1350 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fsp.git;a=commitdiff_plain;h=ccc3cd05b66605fa1db40045e3658674121089ef Updated for upcoming release. git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@1658 cb58f699-b61c-0410-a6fe-9272a202ed29 --- diff --git a/doc/INSTALL.txt b/doc/INSTALL.txt index 098da6d..bee5ee6 100644 --- a/doc/INSTALL.txt +++ b/doc/INSTALL.txt @@ -1,14 +1,13 @@ -11/15/04 -Version 1.2.1 +6/15/05 +Version 1.3 Binary distributions of the Shibboleth code are available. Information on obtaining and installing binaries can be found at -http://shibboleth.internet2.edu/ and in the deploy guide in this -directory. +http://shibboleth.internet2.edu/ This document provides details for those wishing to build from source. -C++ / TARGET +C++ Service Provider Your first step is going to be the OpenSAML INSTALL.txt file. Please read it thoroughly to understand the issues. All the requirements in that file @@ -36,7 +35,7 @@ thread flag (usually -pthread or -pthreads, depends on your platform). --- MySQL (optional) -The distribution now includes a session cache plugin using embedded MySQL. +The distribution now includes a cache plugin using embedded MySQL. This plugin will be included in the build by default if the embedded MySQL library (libmysqld.a) can be found, or if the --with-mysql option is passed to configure. You can force exclude the plugin with the --disable-mysql option. @@ -46,8 +45,8 @@ be surprised if it's not there. Also, just as with PHP and certain other package that include C++, you'll need to build it with the same compiler used to build Shibboleth. -The MySQL 4.0.x build is currently not clean on either platform. There are errors -in several Makefile.in files that have to corrected to get the build to work. +The MySQL 4.0.x build is currently not clean. There are errors in several +Makefile.in files that have to corrected to get the build to work. The patch for the pre-configure Makefile.in files in version 4.0.12 is included in this directory as the file "mysql-4.0.12.diff", which can be applied from the mysql-4.0.12 directory. @@ -71,17 +70,10 @@ are needed to get a correct build of the library to link against. --- Shibboleth -Building the Shibboleth target libraries, shar, test programs, and Apache +Building the Shibboleth libraries, shibd, test programs, and Apache modules is more or less like building OpenSAML. You can get the code from CVS and run the bootstrap script if you want, or just use a source tarball. -On Solaris/OS X, if you're rebuilding into a prefixed location that already -contains a copy of the software and headers, you'll want to remove -some of the headers to prevent extra build work when you run the make -install command. Just do: - -$ rm -rf /opt/shibboleth/include/rpc - With the source distribution or the results of your bootstrap: $ ./configure --prefix=/opt/shibboleth --with-log4cpp=/opt/shibboleth \ @@ -101,8 +93,8 @@ for some guidance on what these should be). To test your installation, you can try the shibtest utility, which actually loads your configuration and attempts to obtain attributes from a Shibboleth -Attribute Authority of your choosing. You indicate to it the "handle" of the -principal to query, and the identifier (providerId) of the origin site, +Attribute Authority of your choosing. You indicate to it the identifier of +the principal to query, and the identifier (providerId) of the origin site, and it will use your configuration files to locate the proper AA. $ set LD_LIBRARY_PATH=/opt/shibboleth/lib; export LD_LIBRARY_PATH @@ -111,6 +103,6 @@ $ /opt/shibboleth/bin/shibtest -h test-handle \ -q urn:mace:inqueue:example.edu The example shown uses a built-in test principal, and uses the InQueue -example origin, which is known to the target after initial installation. +example origin, which is known to the SP after initial installation. You should get some reasonably structured output back that lists some simple attributes. An error here is a pretty good sign there's trouble. diff --git a/doc/InQueue.html b/doc/InQueue.html deleted file mode 100644 index 4e35911..0000000 --- a/doc/InQueue.html +++ /dev/null @@ -1,362 +0,0 @@ - - - - InQueue Federation Policy and Configuration Guidelines - - - InQueue Federation Policy and Configuration Guidelines
- Version 1.2
- May 19, 2004
- -

InQueue Federation Policy and Configuration Guidelines

- -

1. Introduction to InQueue

-

- The InQueue Federation, operated by Internet2, is designed for - organizations that are becoming familiar with the Shibboleth - software package and the federated trust model. It is also - available as a temporary alternative to sites for which no suitable - production-level federation exists. InQueue provides the basic - services needed for a federation using Shibboleth:

- - - -

Participating in InQueue permits an organization to learn about the - Shibboleth software via the experience of multi-party federated access, - while integrating its services into the organization's procedures and - policies.

- -

The InQueue federation is specifically not intended to support - production-level end-user access to protected resources. Organizations - operating target sites are strongly discouraged from making sensitive or - valuable resources available via the Federation. Specifically, certificate - authorities with no level of assurance may be used to issue certificates - to participating sites, and therefore none of the interactions can be - trusted.

-
- -

2. InQueue Policies

- -

2.1 Participation

- -

An organization may join InQueue as an origin, as a - target, or both. - Participants are expected to be authorized representatives of - their organization. Internet2 reserves the right to make final - decisions about participation in the Federation.

- -

InQueue is intended to serve as a primary federation - for an organization only during the period an - organization is learning about Shibboleth and federated - operations. Upon completion of this period, the - organization is expected to join a Federation (or some - other management solution) that meets its long-term - operational needs.

- -

By joining InQueue, an organization agrees that the - Federation can list their name on the Federation web - site as a member of the Federation.

- -

In joining InQueue, an organization will make a good - faith effort to maintain a web page describing their use - of Shibboleth. This page will be linked from the - Federation member list.

- -
- -

2.2 Data management

- -

- By participating, origins agree that all attributes sent - to targets in the Federation to the best of their knowledge accurately - represent information about the authenticated individual accessing the - target resource.

- -

Targets agree to dispose of all received - attributes properly by not mis-using them, aggregating them, or - sharing them with other organizations.

- -

2.3 Security management

- -

InQueue distributes a set of root certificates for - issuers from which server certificates may be obtained to identify - InQueue server components. Both targets and origins should have a - certificate obtained from one of the authorities below. Additional - certificate authorities may be recognized as necessary to support - use of both free and common commercial certificates for testing. - The list of certificate authorities used by InQueue is:

- - -
- -

2.4 Attributes

-

The InQueue - Federation specifies a set of attribute definitions to support basic - attribute-based authorization.

-
    -
  1. Attribute assertions issued or received by InQueue members including eduPerson attributes should conform to the syntax and semantics defined by the eduPerson 2003/12 specification. - -
      -
    • urn:mace:dir:attribute-def:eduPersonEntitlement
      • -
    • urn:mace:dir:attribute-def:eduPersonPrincipalName
      • -
    • urn:mace:dir:attribute-def:eduPersonScopedAffiliation
      • -
    2. -
  2. If a Federation member sends or receives an Attribute Assertion - containing the InQueue policy uri and referencing one of the listed - attributes, - the syntax and semantics of the associated attribute value should - conform - to the definitions specified in the relevant IETF RFCs. - -
      -
    • cn -
    • sn -
    • telephoneNumber -
    • title -
    • initials -
    • description -
    • carLicense -
    • departmentNumber -
    • displayName -
    • employeeNumber -
    • employeeType -
    • preferredLanguage -
    • manager -
    • roomNumber -
    • seeAlso -
    • facsimileTelephoneNumber -
    • street -
    • postOfficeBox -
    • postalCode -
    • st -
    • givenName -
    • l -
    • businessCategory -
    • ou -
    • physicalDeliveryOfficeName -
    -
  3. If a Federation member sends or receives an eduPersonEntitlement Attribute Assertion - containing the InQueue policy uri and containing one of the listed - values, - the syntax and semantics of the associated attribute value should - conform - to these definitions - -
      -
    • urn:mace:incommon:entitlement:common:1 -

      The person possesses an eduPersonAffiliation value of faculty, staff, or student, or qualifies as a "library walk-in". - -

    -
-
- -

3. Joining InQueue

- -

To join InQueue, origins submit a request to - inqueue-support@internet2.edu containing the following - information:

- -
-
- -

To join InQueue, targets must submit a basic application to - inqueue-support@internet2.edu containing the following - information:

- -
- -
- -

4. Configuration for Using InQueue

- -

Once your site is accepted into and added to InQueue, - the following configuration parameters must be entered to ensure - interoperability and compliance with federation guidelines. Consult - the Shibboleth Deploy Guides for further information on these fields - and on origin.xml and shibboleth.xml.

- -
4.a. Origins:
-

The following steps must be undertaken to configure a - standard Shibboleth origin configuration to use InQueue. Some - steps may vary or may be completed already depending on how - origin.xml has already been - modified.

-
    -
  1. ShibbolethOriginConfig must be modified as follows: -
      -
    • providerId must be - populated with a URI that will be assigned by InQueue - when you are accepted into the federation.
      • -
    • defaultRelyingParty - should be changed to urn:mace:inqueue.
      • -
    • Ensure that AAUrl has - been changed to reflect the value sent in with the - application.
      • -
    2. -
  2. Uncomment the InQueue RelyingParty element. If the default providerId as specified in ShibbolethOriginConfig is not the one supplied by InQueue, modify the providerId to match the value assigned by InQueue to this origin.
    3. -
  3. A new KeyStoreResolver or FileResolver element must be added pointing to the private key and certificate for use by this origin. See section 4.b of the origin deploy guide for further information.
    4. -
  4. Uncomment the FederationProvider element for InQueue.
    5. -
  5. OpenSSL must also be configured to use the - appropriate set of trusted roots for the issuance of SSL - certificates that Shibboleth trusts. For InQueue, this list may - be obtained from http://wayf.internet2.edu/InQueue/ca-bundle.crt. - This list should then be copied for mod_ssl, which will typically need to - be to /conf/ssl.crt/ca-bundle.crt. This - list of CA's is not rigorous nor secure and may contain - CA's which have no level of assurance or are questionable.
    6. -
-
- -
4.b. Targets:
- -

The following steps must be undertaken to configure a - standard Shibboleth target configuration to use InQueue. Some - steps may vary or may be completed already depending on how - shibboleth.xml has already been - modified. This guide covers modification of the default Applications element from localhost - operation to InQueue operation for simplicity's sake.

-
    -
  1. The providerId attribute of the Applications element should be changed to the InQueue-assigned value.
    2. -
  2. Ensure that the Sessions element's wayfURL is https://wayf.internet2.edu/InQueue/WAYF.
    3. -
  3. Uncomment the InQueue RelyingParty element within the CredentialsUse element.
    4. -
  4. Uncomment the FileResolver element with a Id of inqueuecreds. The key path, key password, and certificate path should be modified to match new credentials generated according to section 4.c of the target deploy guide.
    5. -
-
- -
4.c. Refreshing Federation Metadata:
-

Shibboleth 1.2 includes new metadata both for origin sites - and for target sites. The origin has the metadatatool and the target uses - the siterefresh tool to maintain - locally cached versions of various files. Once your site - is accepted into the InQueue federation, it is necessary - that you periodically update the federation's metadata. - This metadata includes information used to identify and - authenticate InQueue sites. This should be frequently run - by adding it to a crontab to - ensure that the data is fresh.

- -

InQueue's metadata is digitally signed, so the first step is to obtain the InQueue signing certificate. - It can be downloaded from http://wayf.internet2.edu/InQueue/inqueue.pem - and has a fingerprint of:

-

b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80.

- -

The following commands can be used to obtain the federation's metadata for a Shibboleth 1.2 target:

-
- $ cd /opt/shibboleth/etc/shibboleth
- $ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/IQ-sites.xml --out IQ-sites.xml --cert inqueue.pem
- $ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/IQ-trust.xml --out IQ-trust.xml --cert inqueue.pem -
- -

The origin metadatatool's operation is greatly simplified - if a keystore file is downloaded from https://wayf.internet2.edu/InQueue/inqueue.jks - and placed in the same directory as metadatatool. After this has been - done, the following commands can be used to obtain the - federation's metadata for a Shibboleth origin:

-
metadatatool -i http://wayf.internet2.edu/InQueue/IQ-sites.xml -o IQ-sites.xml -k inqueue.jks -a inqueue -
-
- -

5. Testing

-

A sample shibboleth target - is available for testing newly installed origin sites. New targets can make use of a sample origin, - which is listed as "Example State University" on the InQueue WAYF ( Username: demo / Password: demo ).

- - \ No newline at end of file diff --git a/doc/Makefile.am b/doc/Makefile.am index 89f52d4..e3f76c3 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -12,7 +12,6 @@ pkgdoc_DATA = \ OPENSSL.LICENSE \ LOG4CPP.LICENSE \ CURL.LICENSE \ - InQueue.html \ mysql-4.0.12.diff \ main.css \ logo.jpg \ No newline at end of file diff --git a/doc/README.txt b/doc/README.txt index 5c4a996..8762bb6 100644 --- a/doc/README.txt +++ b/doc/README.txt @@ -1,20 +1,19 @@ -11/15/04 -Version 1.2.1 +6/15/04 +Version 1.3 Welcome to Internet2's Shibboleth -Shibboleth is a federated authentication and authorization system based on -SAML being developed by Internet2 and MACE. +Shibboleth is a federated web authentication and attribute exchange system +based on SAML developed by Internet2 and MACE. Please review the terms described in the LICENSE file before using this -code. It is similar to the Apache 1.1 license. +code. It is now the Apache 2.0 license. A wealth of information about Shibboleth can be found at http://shibboleth.internet2.edu/ -Shibboleth is divided into both origin and target side components, with the -origin in Java and the target in C and C++. Some target functionality can be -used from Java with additional programming. +Shibboleth is divided into identity and service provider components, with the +IdP in Java and the SP in C and C++. A Java SP is in development. Source and binary distributions are available from http://wayf.internet2.edu/shibboleth/ @@ -24,24 +23,6 @@ site. Mailing lists and a bugzilla (http://bugzilla.internet2.edu/) are also available. Not all of the lists are open, but a general support list is available and is open. -For basic information on installing binaries and deploying Shibboleth, see the -Deploy Guides in this directory. For source build assistance, see the -INSTALL.txt file. - -Acknowledgements: ------------------ - -We wish to acknowledge the following copyrighted works that make up -portions of this software: - -This product includes software developed by the OpenSSL Project -for use in the OpenSSL Toolkit. (http://www.openssl.org/). - -This product includes software developed by the Apache Software -Foundation (http://www.apache.org/). - -This project uses libraries covered by the Lesser GNU Public License. -Source code for these libraries is available on request. - -This project includes software developed by the National Research Council -of Canada. +For basic information on installing binaries and deploying Shibboleth, refer +to the web site for the latest documentation. For source build assistance, +see the INSTALL.txt file.