InQueue Federation Policy and Configuration Guidelines
Version 1.1
August 4, 2003

InQueue Federation Policy and Configuration Guidelines

1. Introduction to InQueue

The InQueue Federation, operated by Internet2, is designed for organizations that are becoming familiar with the Shibboleth software package and the federated trust model. InQueue provides the basic services needed for a federation using Shibboleth:

Participating in InQueue permits an organization to learn about the Shibboleth software via the experience of multi-party federated access, while integrating its services into the organization's procedures and policies.

The InQueue federation is specifically not intended to support production-level end-user access to protected resources. Organizations operating target sites are strongly discouraged from making sensitive or valuable resources available via the Federation.

2. InQueue Policies

2.1 Participation

An organization may join InQueue as an origin, as a target, or both. Participants are expected to be authorized representatives of their organization. Internet2 reserves the right to make final decisions about participation in the Federation.

Participation in the Federation is limited to the period during which an organization is learning about Shibboleth and federated operations. Upon completion of this period, the organization is expected to join a Federation (or some other management solution) that meets its long-term operational needs.

By joining InQueue, an organization agrees that the Federation can list their name on the Federation web site as a member of the Federation.

In joining InQueue, an organization will make a good faith effort to maintain a web page describing their use of Shibboleth. This page will be linked from the Federation member list.

2.2 Data management

By participating, origins agree that all attributes sent to targets in the Federation to the best of their knowledge accurately represent information about the authenticated individual accessing the target resource.

Targets agree to dispose of all received attributes properly by not mis-using them, aggregating them, or sharing them with other organizations.

2.3 Security management

InQueue distributes a set of root certificates for issuers from which server certificates may be obtained to identify InQueue server components. Additionally, sites with certificates not rooted in one of these trusted roots may have these certificates added to the appropriate trust file. Targets must have a certificate signed by an acceptible CA. The list of certificate authorities used by InQueue is:

2.4 Attributes

The InQueue Federation specifies a set of attribute definitions to support basic attribute-based authorization.

  1. If a Federation member sends or receives an Attribute Assertion containing the InQueue policy uri and referencing one of the listed attributes, the syntax and semantics of the associated attribute value should conform to the definitions specified in the EduPerson specification 2002/10
    • eduPersonPrincipalName
    • eduPersonEntitlement
    • eduPersonAffiliation (expressed in a slightly different form via a new attribute called eduPersonScopedAffiliation)
  2. If a Federation member sends or receives an Attribute Assertion containing the InQueue policy uri and referencing one of the listed attributes, the syntax and semantics of the associated attribute value should conform to the definitions specified in the relevant IETF RFCs.
    • cn
    • sn
    • telephoneNumber
    • title
    • initials
    • description
    • carLicense
    • departmentNumber
    • displayName
    • employeeNumber
    • employeeType
    • preferredLanguage
    • manager
    • roomNumber
    • seeAlso
    • facsimileTelephoneNumber
    • street
    • postOfficeBox
    • postalCode
    • st
    • givenName
    • l
    • businessCategory
    • ou
    • physicalDeliveryOfficeName
  3. If a Federation member sends or receives an eduPersonEntitlement Attribute Assertion containing the InQueue policy uri and containing one of the listed values, the syntax and semantics of the associated attribute value should conform to these definitions
    • urn:mace:incommon:entitlement:common:1

      The person possesses an eduPersonAffiliation value of faculty, staff, or student, or qualifies as a "library walk-in".

3. Joining InQueue

To join InQueue, origins submit a request to shib-support@internet2.edu containing the following information:

To join InQueue, targets must submit a basic application to shib-support@internet2.edu containing the following information:

4. Configuration for Using InQueue

Once your site is accepted into and added to InQueue, the following configuration parameters must be entered to ensure interoperability and compliance with federation guidelines. Consult the Shibboleth Deploy Guides for further information on these fields and on origin.properties and shibboleth.ini.

4.a. Origins:
edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName

Must be populated with a URI that will be assigned by InQueue when you are accepted into the federation.

edu.internet2.middleware.shibboleth.audiences

This field must contain InQueue's urn:mace:inqueue URI, and may contain other federation URIs as well.

4.b. Targets:
wayfURL

This field must be set to InQueue's simple WAYF at https://wayf.internet2.edu/InQueue/WAYF.

[policies]

This section must contain InQueue = urn:mace:inqueue, and may contain other federation name/value pairs as well.

4.b.i. Refreshing Federation Metadata:

Once your target site is accepted into the InQueue federation, it is necessary that you periodically update the target's federation metadata. This metadata includes information used to identify and authenticate InQueue sites.

InQueue's metadata is digitally signed, so the first step is to obtain the InQueue signing certificate. It can be downloaded from http://wayf.internet2.edu/InQueue/internet2.pem and has a fingerprint of:

b4 42 6c 1e 8b 7d 8e b3 68 03 00 e4 c4 57 dd 74 89 f8 9a 80.

The following commands can be used to obtain the federation's metadata:

$ cd /opt/shibboleth/etc/shibboleth

$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/sites.xml --out sites.xml --cert internet2.pem

$ ../../bin/siterefresh --url http://wayf.internet2.edu/InQueue/trust.xml --out trust.xml --cert internet2.pem

5. Testing

A sample shibboleth target is available for testing newly installed origin sites. New targets can make use of a sample origin, which is listed as "Example State University" on the InQueue WAYF ( Username: demo / Password: demo ).