Along with cross-domain SSO, attribute sharing is a primary benefit of federated access to resources. To facilitate the sharing of attributes, Federation participants conform to the MACE-Dir SAML Attribute Profiles, which specify the syntax of SAML attributes "on the wire." The scoped attributes
eduPersonScopedAffiliation
eduPersonPrincipalName
have a special syntax and are string-valued attributes of the form
value@scope
For example, the value of eduPersonPrincipalName
for Internet2 users is:
username@internet2.edu
As shown in the previous example, a scope is typically a DNS domain.
Recommended Practice
To ensure that scoped attributes are globally unique, a scope in metadata should be a DNS domain controlled by the IdP.
Scope Acceptance
To prevent an IdP from asserting arbitrary scoped attributes, the permissible scopes are called out in IdP metadata:
<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">internet2.edu</shibmd:Scope> </md:Extensions>
The Federation operator is authoritative for the <shibmd:Scope>
element in metadata.
After receiving a scoped attribute, some SP software can be configured to compare the asserted scope to the scope value(s) in metadata. The scoped attribute is accepted by such an SP if and only if the asserted scope matches a scope value in metadata.