Liam Hoekenga liamr at
Mon Sep 12 22:15:44 BST 2011

InCommon has allowed our IdP to assert three different scopes..

         <shibmd:Scope regexp="false"></shibmd:Scope>
         <shibmd:Scope regexp="false"></shibmd:Scope>
         <shibmd:Scope regexp="false"></shibmd:Scope>

Our scopes then fail "saml:AttributeScopeMatchesShibMDScope".  The  
default attribute-policy.xml that comes with the SP had a shared rule  
called "ScopingRules", and it's removing any scoped attributes from  
the user's session.

I haven't tried it against <shibmd:Scope regexp="true">.. the three  
separate scopes is how InCommon issued it to us.

There was a thread back in June of 2009 that kind of addressed this.   
Towards the end of the exchange, Scott said..

     Filtering is a very rarely used feature. My advice here, frankly,
     is just work around the issue for now by turning off the policy
     and then ask InCommon to get this resolved with the IdP. It just
     isn't practical for every SP to go around creating custom scope rules.

So... if it's permissible in the metadata, shouldn't it pass  


More information about the users mailing list