AttributeScopeMatchesShibMDScope
Liam Hoekenga
liamr at umich.edu
Mon Sep 12 22:15:44 BST 2011
InCommon has allowed our IdP to assert three different scopes..
<shibmd:Scope regexp="false">umich.edu</shibmd:Scope>
<shibmd:Scope regexp="false">umd.umich.edu</shibmd:Scope>
<shibmd:Scope regexp="false">flint.umich.edu</shibmd:Scope>
Our scopes then fail "saml:AttributeScopeMatchesShibMDScope". The
default attribute-policy.xml that comes with the SP had a shared rule
called "ScopingRules", and it's removing any scoped attributes from
the user's session.
I haven't tried it against <shibmd:Scope regexp="true">.. the three
separate scopes is how InCommon issued it to us.
There was a thread back in June of 2009 that kind of addressed this.
Towards the end of the exchange, Scott said..
Filtering is a very rarely used feature. My advice here, frankly,
is just work around the issue for now by turning off the policy
and then ask InCommon to get this resolved with the IdP. It just
isn't practical for every SP to go around creating custom scope rules.
So... if it's permissible in the metadata, shouldn't it pass
saml:AttributeScopeMatchesShibMDScope?
Liam
More information about the users
mailing list