AttributeScopeMatchesShibMDScope

[Liam Hoekenga]

>> So... if it's permissible in the metadata, shouldn't it pass
>> saml:AttributeScopeMatchesShibMDScope?
>
> Yes, and does last I checked it. Since the UK uses lots of scopes, I'm
> pretty sure a bug would have been reported by now.

Ok, See I that in the UK metadata.

I am experimenting with setting up a local federation.  It appears as  
if the issues is related to my metadata (which I *have* validated  
using xmlsectool). The scoping filter works when I access the same SP  
using the same IdP via the InCommon metadata.  I diffed my IdP's  
entries in the two files and nothing jumped out.

I looked at the SOAP response, and the only differences are the  
AssertionIDs and the InResponseTos.  I'm reading the shibd.log, and in  
the transaction the first difference is..

2011-09-13 00:00:00 DEBUG Shibboleth.AttributeFilter [1]: applying  
filtering rule(s) for attribute (eppn) from  
(https://shibboleth.umich.edu/idp/shibboleth)

vs

2011-09-13 00:00:00 DEBUG Shibboleth.AttributeFilter [2]: applying  
filtering rule(s) for attribute (eppn) from  
(https://shibboleth.umich.edu/idp/shibboleth)
2011-09-13 00:00:00 WARN Shibboleth.AttributeFilter [2]: removed value  
at position (0) of attribute (eppn) from  
(https://shibboleth.umich.edu/idp/shibboleth)

We're using the attribute-policy.xml as distributed w/ the SP source code.
The only difference in the transaction (as far as I can tell) is which  
file the SP uses for the IdP's metadata.

I'm open to suggestions.

Liam