Along with cross-domain SSO, attribute sharing is a primary benefit of federated access to resources. To facilitate the sharing of attributes, Federation participants conform to the MACE-Dir SAML Attribute Profiles, which specify the syntax of SAML attributes "on the wire." The four scoped attributes
eduPersonScopedAffiliation
eduPersonPrincipalName
eduCourseMember
eduPersonTargetedID
have a special syntax. The first three scoped attributes are string-valued attributes of the form
value@scope
For example, the value of eduPersonPrincipalName
for Internet2 users is:
username@internet2.edu
As shown in the previous example, a scope is typically a DNS domain.
Recommended Practice
To ensure that scoped attributes are globally unique, a scope in metadata should be a DNS domain controlled by the IdP.
Scope Acceptance
To prevent an IdP from asserting arbitrary scoped attributes, the permissible scopes are called out in IdP metadata:
<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">internet2.edu</shibmd:Scope> </md:Extensions>
The Federation operator is authoritative for the <shibmd:Scope>
element in metadata.
After receiving a scoped attribute, the SP compares the asserted scope to the scope value(s) in metadata. The scoped attribute is accepted by the SP if and only if the asserted scope matches a scope value in metadata.