...
The SAML2 Persistent NameID is explicitly scoped but in a completely different manner. Here is an example:
Code Block | ||||
---|---|---|---|---|
| ||||
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example.org/shibboleth" SPNameQualifier="https://sp.example.org/shibboleth" >1234567890</saml2:NameID> |
The SAML2 Persistent NameID is asserted by the IdP as a child element of the <saml2:Subject>
element or the eduPersonTargetedID
attribute. In either case, the NameQualifier
XML attribute must be scope-checked, that is, it must match the actual issuer of the assertion. Otherwise the identifier should be discarded by default.
All of the examples thus far have been SAML attributes and identifiers but scope-checking is not a SAML issue per se. For instance, the OpenID Connect "sub" claim is a locally unique, non-reassigned identifier for the user (sub = subject). Here is an example of an ID token asserted by an OpenID provider:
Code Block | ||||
---|---|---|---|---|
| ||||
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"exp": 1311281970,
"iat": 1311280970
} |
By definition, the "sub" claim is implicitly scoped to the issuer. In practice, a relying party would store the pair (iss, sub) and thereafter scope-check an ID token by matching both the "iss" value and the "sub" value. This prevents an arbitrary OpenID provider from asserting an unauthorized "sub" value, intentionally or otherwise.
Other Identifiers
At this point we’ve looked at the following identifiers:
eduPersonPrincipalName
eduPersonUniqueId
SAML2 Persistent NameID
eduPersonTargetedID
OpenID Connect "sub" claim
These aren’t the only identifiers that need to be scope-checked, however. See the NameIdentifiers topic in the Shibboleth wiki for a more complete list.
All of the above identifiers have well-defined scope semantics. The IDPEmail
attribute, OTOH, is ill-suited for cross-domain access control. While its name and value suggest an email address, the underlying identifier (userPrincipalName
) has no documented scope semantics AFAICT.