Versions Compared

Old Version 6

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 7

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The SAML2 Persistent NameID is explicitly scoped but in a completely different manner. Here is an example:

 

 

Code Block
languagexml
titleSAML2 Persistent NameID
<saml2:NameID
       Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
       NameQualifier="https://idp.example.org/shibboleth"
       SPNameQualifier="https://sp.example.org/shibboleth"
       >1234567890</saml2:NameID>

 

 

The SAML2 Persistent NameID is asserted by the IdP as a child element of the <saml2:Subject> element or the eduPersonTargetedID attribute. In either case, the NameQualifier XML attribute must be scope-checked, that is, it must match the actual issuer of the assertion. Otherwise the identifier should be discarded by default.

 

All of the examples thus far have been SAML attributes and identifiers but scope-checking is not a SAML issue per se. For instance, the OpenID Connect "sub" claim is a locally unique, non-reassigned identifier for the user (sub = subject). Here is an example of an ID token asserted by an OpenID provider:

 

 

Code Block
languagejs
titleAn OpenID token
{
  "iss": "https://server.example.com",
  "sub": "24400320",
  "aud": "s6BhdRkqt3",
  "exp": 1311281970,
  "iat": 1311280970
 }

By definition, the "sub" claim is implicitly scoped to the issuer. In practice, a relying party would store the pair (iss, sub) and thereafter scope-check an ID token by matching both the "iss" value and the "sub" value. This prevents an arbitrary OpenID provider from asserting an unauthorized "sub" value, intentionally or otherwise.

Other Identifiers

 

At this point we’ve looked at the following identifiers:

  • eduPersonPrincipalName

  • eduPersonUniqueId

  • SAML2 Persistent NameID

  • eduPersonTargetedID

  • OpenID Connect "sub" claim

These aren’t the only identifiers that need to be scope-checked, however. See the NameIdentifiers topic in the Shibboleth wiki for a more complete list.

All of the above identifiers have well-defined scope semantics. The IDPEmail attribute, OTOH, is ill-suited for cross-domain access control. While its name and value suggest an email address, the underlying identifier (userPrincipalName) has no documented scope semantics AFAICT.