...
Note that not every attribute whose value contains an '@' character is actually "scoped" in this sense. For example, email addresses are similar in form, and always contain a domain qualifier, but are not typically processed by scope-aware SAML software as discrete "value" and "domain" components.
...
After receiving a scoped attribute from the IdP, some SP software can be configured to compare the asserted scope to the scope value(s) in metadata or to a locally defined list. The scoped attribute is accepted by the SP if and only if the asserted scope matches a scope value in metadata or one that's manually configured. The Shibboleth SP software is configured this way by default. Other SP software may require explicit configuration or in some many cases may not support the <shibmd:Scope> element at all.
...
To prevent an IdP from asserting arbitrary scoped attributes, the permissible scopes are called out in IdP metadata:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<shibmd:Scope regexp="false"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">internet2.edu</shibmd:Scope>
</md:Extensions>
|
...