Native SP AttributeFilter for eppn and default "ScopingRules"

Cantor, Scott cantor.2 at
Mon Feb 18 13:57:32 EST 2013

On 2/18/13 1:11 PM, "Don Faulkner" <donf at> wrote:
>How do I correctly filter eppn, and similar attributes?

In general, you do nothing and it works and when it doesn't you have a
good indicator somebody's doing something fishy. Most of the time.

>I think I don't understand the ScopingRules. It seems to me to say that
>the filter
>matches if the value does not match "@" and has attribute scope
>matching the metadata scope.

That's a regex. A regex of '@' matches any string with that character in
it. It's checking the value itself to prevent any values from getting in
that would have an extra delimiter.

>I thought scope was represented as
>"value at scope" so 
>any scoped attribute would faile the above test.

The value in that expression has no @ sign in it, so no, it doesn't fail.

>Which MDScope must the AttributeScope match? The MDScope
>of the IdP making the assertion or the MDScope
>of the SP receiving the assertion?

The IdP. The whole point is to prevent spoofing of identifiers by other

>Totally not sure where to look for the following in the wiki.
>The docs on this look a little sparse. Can I help?

They are, they mostly match the docs on filtering for the IdP, it's the
same language. Just in reverse, it's filtering what the SP accepts rather
than what the IdP releases.

-- Scott

More information about the users mailing list