The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Along with cross-domain SSO, attribute sharing is a primary benefit of federated access to resources. To facilitate the sharing of attributes, Federation participants conform to the MACE-Dir SAML Attribute Profiles, which specify the syntax of SAML attributes "on the wire." The three scoped attributes

  1. eduPersonScopedAffiliation
  2. eduPersonPrincipalName
  3. eduCourseMember

have a special syntax and are string-valued attributes of the form

value@scope

For example, the value of eduPersonPrincipalName for Internet2 users is:

username@internet2.edu

As shown in the previous example, a scope is typically a DNS domain.

Recommended Practice

To ensure that scoped attributes are globally unique, a scope in metadata should be a DNS domain controlled by the IdP.

Scope Acceptance

To prevent an IdP from asserting arbitrary scoped attributes, the permissible scopes are called out in IdP metadata:

 
<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <shibmd:Scope regexp="false"
      xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">internet2.edu</shibmd:Scope>
</md:Extensions>

The Federation operator is authoritative for the <shibmd:Scope> element in metadata.

After receiving a scoped attribute, some SP software can be configured to compare the asserted scope to the scope value(s) in metadata. The scoped attribute is accepted by such an SP if and only if the asserted scope matches a scope value in metadata.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels