Native SP AttributeFilter for eppn and default "ScopingRules"

Don Faulkner donf at
Mon Feb 18 13:11:22 EST 2013

My SP install came with the following:

    <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
        <Rule xsi:type="NOT">
            <Rule xsi:type="AttributeValueRegex" regex="@"/>
        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>

        <afp:AttributeRule attributeID="eppn">
            <afp:PermitValueRuleReference ref="ScopingRules"/>

I'm trying to accept eppn and other values from our IdP and another
IdPbut for some reason this AttributeRule is preventing the SP from
accepting eppn from the other IdP. If I change that RuleReference to
<afp:PermitValueRule xsi:type="ANY"/>, then the eppn comes through (as
one would expect.

How do I correctly filter eppn, and similar attributes?

I think I don't understand the ScopingRules. It seems to me to say that
the filter matches if the value does not match "@" and has attribute
scope matching the metadata scope.

I thought scope was represented as "value at scope" so any scoped attribute
would faile the above test.
Which MDScope must the AttributeScope match? The MDScope of the IdP
making the assertion or the MDScope of the SPreceiving the assertion?

Totally not sure where to look for the followingin the wiki. The docs on
this look a little sparse. Can I help?

me Don Faulkner, CISSP | IT Security <> at the
University of Arkansas <>
contact>> donf at <mailto:donf at> | +1 (479) 575-2905
connect>> uarkITS on Facebook <> | @uaits
<> | @dfaulkner <>
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list