InQueue Federation Interim Configuration and Policy Guidelines

From aea7d39880c3f96419aba34af742683869f436f9 Mon Sep 17 00:00:00 2001 From: wassa Date: Wed, 18 Jun 2003 19:14:15 +0000 Subject: [PATCH] Many changes. git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@527 cb58f699-b61c-0410-a6fe-9272a202ed29 --- doc/InQueue.html | 617 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 333 insertions(+), 284 deletions(-) diff --git a/doc/InQueue.html b/doc/InQueue.html index 2b065f3..3721bb4 100644 --- a/doc/InQueue.html +++ b/doc/InQueue.html @@ -1,284 +1,333 @@ - - - InQueue Federation Interim Configuration and Policy Guidelines - - - - - - - - InQueue Configuration and Policy Guidelines
- draft-internet2-inqueue-guidelines-01.html
- Nate Klingenstein
- 17 June, 2003
- Comments should be directed to ndk@internet2.edu.
- -

InQueue Federation Interim Configuration and Policy Guidelines

- -

These are interim guidelines intended to allow InQueue to operate as -a federation before full production requirements are known.

- -

1. Introduction to InQueue

InQueue is a simple federation designed to support - interoperability between origin and target sites as organizations - become familiarized with Shibboleth and the federated trust model. It - will provide basic federated services including maintenance of a WAYF - and trust and metadata files. It will give a best effort to ensuring - that all sites admitted are representative of their organizations. It - will define a basic set of attributes to aid - interoperability.

- -

InQueue is not intended to be a production federation, - and organizations will be expected to progress from InQueue to an - appropriate federation. Using InQueue for production services is not - advised due to the lack of a formal application and membership - process, and the lowered level of assurance that a site is indeed - representative of a community this brings. Additionally, InQueue - recognizes many CA's, some of which do not maintain a CP/CPS or - rigorous issuance standards.

- -

2. Joining InQueue

Sites may join InQueue as an origin, as a target, or - submit both sets of information to join as both a target and an - origin. Origins must assert before joining that all attributes sent - to targets in the federation to the best of their knowledge accurately - represent information about the authenticated individual accessing the - target resource. Targets must agree to dispose of all received - attributes properly by not mis-using them, aggregating them, or - sharing them with other organizations.

- -

InQueue will distribute a set of trusted CA roots from - whom certificates for architectural components are acceptible for - InQueue membership. Additionally, sites with certificates not rooted - in one of these trusted roots may have these certificates added to the - appropriate trust file. Targets must have a certificate signed by an - acceptible CA. The list of certificate authorities recognized by - InQueue is:

-
* The certificates issued by this CA will expire - fairly quickly and should only be used for testing.
-

- -

To join InQueue, origins must submit a basic application to - shib-support@internet2.edu containing the following - information:

- -

Domain Name of the origin site (e.g., Ohio State's is - "osu.edu").
Complete URL to access the HS.
The CN (usually the hostname) of the HS's certificate's subject. - This should also be the value of edu.internet2.middleware.shibboleth.hs. - HandleServlet.issuer in origin.properties.
Any shorthand aliases the WAYF should support for the origin - site (e.g., Ohio State, OSU, Buckeyes)
Contact names and addresses for technical and administrative - issues.
The URL of an error page that users selecting this origin from - the WAYF may be referred to by targets if Shibboleth - malfunctions. (optional)
If HS' certificate is not signed by one of the root CA's recognized - by InQueue, then it must be submitted in Base64-encoded DER format.

- -

To join InQueue, targets must submit a basic application to - shib-support@internet2.edu containing the following - information:

- -

The name of the organization
Contact names and addresses for both administrative and - technical purposes

- -

3. Configuration for Using InQueue

- -

Once your site is accepted into and added to InQueue, - the following configuration parameters must be entered to ensure - interoperability and compliance with federation guidelines. Consult - the Shibboleth Deploy Guides for further information on these fields - and on origin.properties and shibboleth.ini.

- -

Origins:
- -
edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName -
Must be populated with a URI that will - be assigned by InQueue when you are accepted into the - federation.
edu.internet2.middleware.shibboleth.audiences -
This field must contain InQueue's urn:mace:inqueue URI, and may contain other federation URIs as well.
-

- -

Targets:
- -
wayfURL -
This field must be set to InQueue's simple WAYF at https://wayf.internet2.edu/InQueue/WAYF.
[policies] -
This section must contain InQueue = urn:mace:inqueue, and may - contain other federation name/value pairs as well.
siterefresh -
The URL for the metadata.xml file for InQueue is http://wayf.internet2.edu/InQueue/sites.xml. - The URL for the trust.xml - file for InQueue is http://wayf.internet2.edu/InQueue/trust.xml. - The signing certificate used for these files may be found at - http://wayf.internet2.edu/InQueue/internet2.pem - and has the fingerprint b4 42 6c 1e - 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80.
-

- -

4. Attributes

In order to facilitate basic interoperability, the InQueue - Federation is promulgating a set of Attribute definitions for use by its - members. If a Federation member sends or receives an Attribute Assertion - containing the InQueue policy uri and referencing one of the listed attributes, - then the syntax and semantics of the associated attribute value MUST conform - to the definitions specified in the EduPerson specification 2002/10 -

- -

urn:mace:dir:attribute-def:eduPersonAffiliation
urn:mace:dir:attribute-def:eduPersonPrincipalName

- -

5. Sample Target

A sample shibboleth target - is available for testing newly installed origin sites.

- - + + + + InQueue Federation Policy and Configuration Guidelines + + + InQueue Federation Policy and Configuration Guidelines
+ draft-internet2-inqueue-guidelines-02.html
+ Nate Klingenstein
+ RL 'Bob' Morgan
+ 2003-06-17
+ +

InQueue Federation Policy and Configuration Guidelines

+ +

1. Introduction to InQueue

+ The InQueue Federation, operated by Internet2, is designed for + organizations that are becoming familiar with the Shibboleth software + package and the federated trust model. InQueue provides the basic + services needed for a federation using Shibboleth:
+ +
+
maintenance and distribution of participating site description and + security files;
+
a central WAYF ("where are you from") web site;
+
specification of operational procedures and policies, including + user data (attribute) definitions; and
+
example target and origin sites with which to test + interoperability.
+
+ +
Participating in InQueue permits an organization to learn about the + Shibboleth software via the experience of multi-party federated access, + while integrating its services into the organization's procedures and + policies.
+ +
The InQueue federation is specifically not intended to support + production-level end-user access to protected resources. Organizations + operating target sites are strongly discouraged from making sensitive or + valuable resources available via the Federation.
+

+ +

2. InQueue Policies

+ +

2.1 Participation

+ +

An organization may join InQueue as an origin, as a + target, or both. + Participants are expected to be authorized representatives of + their organization. Internet2 reserves the right to make final + decisions about participation in the Federation.
+ +
Participation in the Federation is limited to the period during which + an organization is learning about Shibboleth and federated operations. Upon + completion of this period, the organization is expected to join a + Federation (or some other management solution) that meets its long-term + operational needs. +

+ +

2.2 Data management

+ +

+ By participating, origins agree that all attributes sent + to targets in the Federation to the best of their knowledge accurately + represent information about the authenticated individual accessing the + target resource.
+ +
Targets agree to dispose of all received + attributes properly by not mis-using them, aggregating them, or + sharing them with other organizations.

+ +

2.3 Security management

+ +

InQueue distributes a set of root certificates for + issuers from which server certificates may be obtained to identify + InQueue server components. + Additionally, sites with certificates not rooted + in one of these trusted roots may have these certificates added to the + appropriate trust file. Targets must have a certificate signed by an + acceptible CA. The list of certificate authorities used by + InQueue is:
+
+
Verisign/RSA Secure Server CA
+
Internet2 + HEPKI Test CA
+
CREN CA
+
+

+ +

2.4 Attributes

The InQueue + Federation specifies a set of attribute definitions to support basic + attribute-based authorization. + If a Federation member sends or receives an Attribute Assertion + containing the InQueue policy uri and referencing one of the listed + attributes, + the syntax and semantics of the associated attribute value should + conform + to the definitions specified in the EduPerson specification 2002/10 +
+ +
+
eduPersonPrincipalName
+
eduPersonEntitlement
+
eduPersonAffiliation (expressed in a slightly different form via + a new attribute called eduPersonScopedAffiliation)
+
+

+ +

3. Joining InQueue

+ +

To join InQueue, origins submit a request to + shib-support@internet2.edu containing the following + information:

+ +

+
+
Domain Name of the origin site (e.g., Ohio State's is + "osu.edu").
+
Complete URL to access the Shibboleth Handle Service at the site.
+
The CN (usually the hostname) of the HS's certificate's subject. + This should also be the value of edu.internet2.middleware.shibboleth.hs. + HandleServlet.issuer in origin.properties.
+
Any shorthand aliases the WAYF should support for the origin + site (e.g., Ohio State, OSU, Buckeyes)
+
Contact names and addresses for technical and administrative + issues.
+
The URL of an error page that users selecting this origin from + the WAYF may be referred to by targets if Shibboleth + malfunctions. (optional)
+
If the HS's certificate is not issueed by one of the root CAs + used + by InQueue, then it must be submitted in Base64-encoded DER (aka + "PEM") format.
+

+ +

To join InQueue, targets must submit a basic application to + shib-support@internet2.edu containing the following + information:

+ +

+
+
The name of the organization
+
Contact names and addresses for both administrative and + technical purposes
+
+

+ +

4. Configuration for Using InQueue

+ +

Once your site is accepted into and added to InQueue, + the following configuration parameters must be entered to ensure + interoperability and compliance with federation guidelines. Consult + the Shibboleth Deploy Guides for further information on these fields + and on origin.properties and shibboleth.ini.

+ +

4.a. Origins:
+ +
edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName +
Must be populated with a URI that will + be assigned by InQueue when you are accepted into the + federation.
edu.internet2.middleware.shibboleth.audiences +
This field must contain InQueue's urn:mace:inqueue URI, and may contain other federation URIs as well.
+

+ +

4.b. Targets:
+ +
wayfURL +
This field must be set to InQueue's simple WAYF at https://wayf.internet2.edu/InQueue/WAYF.
[policies] +
This section must contain InQueue = urn:mace:inqueue, and may + contain other federation name/value pairs as well.
+
+

+ +

4.b.i. Refreshing Federation Metadata:
+
Once your target site is accepted into the InQueue federation, it is necessary that you periodically + update the target's federation metadata. This metadata includes information used to identify and authenticate + InQueue sites.
+ +
InQueue's metadata is digitally signed, so the first step is to obtain the InQueue signing certificate. + It can be downloaded from http://wayf.internet2.edu/InQueue/internet2.pem + and has a fingerprint of:
+
b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80.
+ +
The following commands can be used to obtain the federation's metadata:
+
$ cd /opt/shibboleth/etc/shibboleth
+
$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/sites.xml + --out sites.xml --cert internet2.pem
+
$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/trust.xml + --out trust.xml --cert internet2.pem
+

+ +

5. Testing

A sample shibboleth target + is available for testing newly installed origin sites. New targets can make use of a sample origin, + which is listed as "Example State University" on the InQueue WAYF ( Username: demo / Password: demo ).

+ + + -- 2.1.4