...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<shibmd:Scope regexp="false">osu.edu</shibmd:Scope> <shibmd:Scope regexp="false">internet2.edu</shibmd:Scope> |
Each scope <shibmd:Scope> element is associated with the one (and only one) IdP authorized to assert that scope, namely, the Ohio State University IdP and the Internet2 IdP, respectively.
...
Note well: The application developer must scope-check all identifiers asserted by untrusted 3rd parties. This is especially true if the identifier is used for access control. Failure to do so may lead to gaping major security holes like the one reported in Office 365.
Of course this assumes the application relies on scoped identifiers to being begin with. In particular, an application should never rely on an email address to identify a user. An email address is not scoped. For instance, the email address trscavo@gmail.com may be legitimately asserted by any IdP. Conclusion: an email address makes a lousy user identifier
...
Other relying party software might do scope-checking, I don’t know. If your software (SAML or otherwise) does this, please log into Confluence and add a comment to the end of this article.
...