AttributeScopeMatchesShibMDScope
Liam Hoekenga
liamr at umich.edu
Mon Sep 12 22:32:22 BST 2011
Doesn't work with a regex scope either.
Liam
Quoting Liam Hoekenga <liamr at umich.edu>:
> InCommon has allowed our IdP to assert three different scopes..
>
> <shibmd:Scope regexp="false">umich.edu</shibmd:Scope>
> <shibmd:Scope regexp="false">umd.umich.edu</shibmd:Scope>
> <shibmd:Scope regexp="false">flint.umich.edu</shibmd:Scope>
>
> Our scopes then fail "saml:AttributeScopeMatchesShibMDScope". The
> default attribute-policy.xml that comes with the SP had a shared
> rule called "ScopingRules", and it's removing any scoped attributes
> from the user's session.
>
> I haven't tried it against <shibmd:Scope regexp="true">.. the three
> separate scopes is how InCommon issued it to us.
>
> There was a thread back in June of 2009 that kind of addressed this.
> Towards the end of the exchange, Scott said..
>
> Filtering is a very rarely used feature. My advice here, frankly,
> is just work around the issue for now by turning off the policy
> and then ask InCommon to get this resolved with the IdP. It just
> isn't practical for every SP to go around creating custom scope rules.
>
> So... if it's permissible in the metadata, shouldn't it pass
> saml:AttributeScopeMatchesShibMDScope?
>
> Liam
>
More information about the users
mailing list