Uncertainty about scopes in metadata and it's relation to scoped attributes.

Cantor, Scott cantor.2 at osu.edu
Wed Jul 3 14:34:24 EDT 2019

Scope filtering prevents cross-IdP impersonation of users and using metadata to drive it offloads all of the work required to manage it, making it a huge value proposition of the third party federation model. An SP is free to modify or supplement its filtering rules any time it wants but were I them I'd tell you to fix your metadata, which is what they did. Otherwise you're asking every SP to account for it over and over again.

Having said that, those are probably bad EPPNs. Having a domain in there that's clearly about email and nothing at all relevent to what EPPN is for is a good sign it's a bad decision. The purpose of multiple scopes in metadata was for dealing with cases like multi-campus systems, and for proxies.
-- Scott

More information about the users mailing list