Along with cross-domain SSO, attribute sharing is a primary benefit of federated access to resources. To facilitate the sharing of attributes, Federation participants conform to the MACE-Dir SAML Attribute Profiles, which specify the syntax of SAML attributes "on the wire." The scoped attributes
eduPersonScopedAffiliationeduPersonPrincipalNameeduPersonUniqueId
have a special syntax and are string-valued attributes of the form
value@scope
For example, the value of eduPersonPrincipalName for Internet2 users is:
username@internet2.edu
As shown in the previous example, a scope is typically a DNS domain. In the case of eduPersonUniqueId, the scope actually is a DNS domain.
Note that not every attribute whose values contain an '@' character are actually "scoped" in this sense. For example, email addresses are similar in form, and always contain a domain qualifier, but are not typically processed by SAML software as discrete "value" and "domain" components.
Another example, eduCourseMember, has values that consist of a role and a course, separated by an '@' delimiter. But the course identifier is an URI, not a domain, and is not a "scope" for the purposes of the policy concepts discussed below.
Acceptance of Scoped Attributes
To prevent an IdP from asserting arbitrary scoped attributes, the permissible scopes are called out in IdP metadata:
<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<shibmd:Scope regexp="false"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">internet2.edu</shibmd:Scope>
</md:Extensions>
The Federation operator is authoritative for the <shibmd:Scope> element in metadata.
After receiving a scoped attribute, some SP software can be configured to compare the asserted scope to the scope value(s) in metadata. The scoped attribute is accepted by such an SP if and only if the asserted scope matches a scope value in metadata.