From 209fb8deaa364674ded78cbed25816add08cce73 Mon Sep 17 00:00:00 2001
From: cantor
The InQueue Federation, operated by Internet2, is designed for
- organizations that are becoming familiar with the Shibboleth software
- package and the federated trust model. InQueue provides the basic
+ organizations that are becoming familiar with the Shibboleth
+ software package and the federated trust model. It is also
+ available as a temporary alternative to sites for which no suitable
+ production-level federation exists. InQueue provides the basic
services needed for a federation using Shibboleth: The InQueue federation is specifically not intended to support
production-level end-user access to protected resources. Organizations
operating target sites are strongly discouraged from making sensitive or
- valuable resources available via the Federation.
- Version 1.1
- August 4, 2003
+ Version 1.2
+ May 19, 2004
InQueue Federation Policy and Configuration Guidelines
1. Introduction to InQueue
@@ -169,7 +64,10 @@
InQueue distributes a set of root certificates for - issuers from which server certificates may be obtained to identify - InQueue server components. - Additionally, sites with certificates not rooted - in one of these trusted roots may have these certificates added to the - appropriate trust file. Targets must have a certificate signed by an - acceptible CA. The list of certificate authorities used by - InQueue is:
+ issuers from which server certificates may be obtained to identify + InQueue server components. Both targets and origins should have a + certificate obtained from one of the authorities below. Additional + certificate authorities may be recognized as necessary to support + use of both free and common commercial certificates for testing. + The list of certificate authorities used by InQueue is:- -
- Verisign/RSA Secure Server CA
- Internet2 HEPKI Test CA
- CREN CA
+- Thawte Server & Premium Server CA's
+- InCommon CA
For origins, OpenSSL must also be configured to use the - appropriate set of trusted roots for the issuance of SSL - certificates that Shibboleth trusts. For InQueue, this list may - be obtained from http://wayf.internet2.edu/InQueue/ca-bundle. - crt. This list should then be copied for mod_ssl, which will typically need to - be to /conf/ssl.crt/ca-bundle.crt. This - list of CA's is not rigorous nor secure and may contain - CA's which have no level of assurance or are questionable.
+
+ $ openssl x509 -in <file> -subject -nameopt rfc2253 +
+ and on origin.xml and shibboleth.xml.To join InQueue, targets must submit a basic application to @@ -345,8 +231,26 @@
@@ -356,48 +260,103 @@ the following configuration parameters must be entered to ensure interoperability and compliance with federation guidelines. Consult the Shibboleth Deploy Guides for further information on these fields - and on origin.properties and shibboleth.ini.
- The name of the organization
-- Contact names and addresses for both administrative and - technical purposes
+- Contact names and e-mail addresses for techincal and + administrative issues.
+- The CN (usually the hostname) or the full subject of the + SHAR's certificate's subject. If the certificate is readable + by OpenSSL (not keytool), this value can be obtained using + the following command: +
++ $ openssl x509 -in <file> -subject -nameopt rfc2253 +- The URL of all SHIRE locations (specified using a + shireURL attribute in a Sessions element) set up for this + organization, e.g. https://example.org/Shibboleth.shire. + Note that the assumption is that access will only occur over + the protocol specified by the SHIRE URL submitted (https or http); if there is a desire to listen + on both ports, this should be noted in the application.
4.a. Origins:
- -+
- edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName -
Must be populated with a URI that will - be assigned by InQueue when you are accepted into the - federation.
- edu.internet2.middleware.shibboleth.audiences -
This field must contain InQueue's urn:mace:inqueue URI, and may contain other federation URIs as well.
The following steps must be undertaken to configure a + standard Shibboleth origin configuration to use InQueue. Some + steps may vary or may be completed already depending on how + origin.xml has already been + modified.
++
- ShibbolethOriginConfig must be modified as follows: +
++
- providerId must be + populated with a URI that will be assigned by InQueue + when you are accepted into the federation.
+- defaultRelyingParty + should be changed to urn:mace:inqueue.
+- Ensure that AAUrl has + been changed to reflect the value sent in with the + application.
+- Uncomment the InQueue RelyingParty element. If the default providerId as specified in ShibbolethOriginConfig is not the one supplied by InQueue, modify the providerId to match the value assigned by InQueue to this origin.
+- A new KeyStoreResolver or FileResolver element must be added pointing to the private key and certificate for use by this origin. See section 4.b of the origin deploy guide for further information.
+- Uncomment the FederationProvider element for InQueue.
+- OpenSSL must also be configured to use the + appropriate set of trusted roots for the issuance of SSL + certificates that Shibboleth trusts. For InQueue, this list may + be obtained from http://wayf.internet2.edu/InQueue/ca-bundle.crt. + This list should then be copied for mod_ssl, which will typically need to + be to /conf/ssl.crt/ca-bundle.crt. This + list of CA's is not rigorous nor secure and may contain + CA's which have no level of assurance or are questionable.
+
-4.b. Targets:
-+
- wayfURL -
This field must be set to InQueue's simple WAYF at https://wayf.internet2.edu/InQueue/WAYF.
- [policies] -
- -
This section must contain InQueue = urn:mace:inqueue, and may - contain other federation name/value pairs as well.
The following steps must be undertaken to configure a + standard Shibboleth target configuration to use InQueue. Some + steps may vary or may be completed already depending on how + shibboleth.xml has already been + modified. This guide covers modification of the default Applications element from localhost + operation to InQueue operation for simplicity's sake.
++
- The providerId attribute of the Applications element should be changed to the InQueue-assigned value.
+- Ensure that the Sessions element's wayfURL is https://wayf.internet2.edu/InQueue/WAYF.
+- Uncomment the InQueue RelyingParty element within the CredentialsUse element.
+- Uncomment the FileResolver element with a Id of inqueuecreds. The key path, key password, and certificate path should be modified to match new credentials generated according to section 4.c of the target deploy guide.
+
4.b.i. Refreshing Federation Metadata:
-Once your target site is accepted into the InQueue federation, it is necessary that you periodically - update the target's federation metadata. This metadata includes information used to identify and authenticate - InQueue sites.
+4.c. Refreshing Federation Metadata:
+Shibboleth 1.2 includes new metadata both for origin sites + and for target sites. The origin has the metadatatool and the target uses + the siterefresh tool to maintain + locally cached versions of various files. Once your site + is accepted into the InQueue federation, it is necessary + that you periodically update the federation's metadata. + This metadata includes information used to identify and + authenticate InQueue sites. This should be frequently run + by adding it to a crontab to + ensure that the data is fresh.
InQueue's metadata is digitally signed, so the first step is to obtain the InQueue signing certificate. - It can be downloaded from http://wayf.internet2.edu/InQueue/internet2.pem + It can be downloaded from http://wayf.internet2.edu/InQueue/inqueue.pem and has a fingerprint of:
-b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80.
- -The following commands can be used to obtain the federation's metadata:
-$ cd /opt/shibboleth/etc/shibboleth
-$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/sites.xml - --out sites.xml --cert internet2.pem
-$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/trust.xml - --out trust.xml --cert internet2.pem
+b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80.
+ +The following commands can be used to obtain the federation's metadata for a Shibboleth 1.2 target:
++ $ cd /opt/shibboleth/etc/shibboleth+ +
+ $ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/IQ-sites.xml --out IQ-sites.xml --cert inqueue.pem
+ $ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/IQ-trust.xml --out IQ-trust.xml --cert inqueue.pem +The origin metadatatool's operation is greatly simplified + if a keystore file is downloaded from https://wayf.internet2.edu/InQueue/inqueue.jks + and placed in the same directory as metadatatool. After this has been + done, the following commands can be used to obtain the + federation's metadata for a Shibboleth origin:
+metadatatool -i http://wayf.internet2.edu/InQueue/IQ-sites.xml -o IQ-sites.xml -k inqueue.jks -a inqueue +5. Testing
-- -A sample shibboleth target is available for testing newly installed origin sites. New targets can make use of a sample origin, which is listed as "Example State University" on the InQueue WAYF ( Username: demo / Password: demo ).