...
All of the above identifiers have well-defined scope semantics. The IDPEmail attribute, OTOH, is ill-suited for cross-domain access control. While its name and value suggest an email address, the underlying identifier (userPrincipalName) has no documented scope semantics AFAICT.
| Tip | ||
|---|---|---|
| ||
| If your federating software doesn’t scope-check user identifiers, then that responsibility must be taken up by the application software (i.e., the application developer). |
...
You should take away at least this: The application developer should scope-check all identifiers asserted by untrusted 3rd parties. This is especially true if the identifier is used for access control. Failure to do so may lead to gaping security holes like the one reported in Office 365.
...
Other SP software might do scope-checking, I really don’t know. If your software (SAML or otherwise) does this, please add a comment to the end of this article.
...