[EXT] Scopes in IdP metadata

Yeargan, Yancey Yancey.Yeargan at untsystem.edu
Thu Mar 5 10:48:37 EST 2020

Those are the same "scopes" (which typically match DNS domains) that you use for the eduPersonScopedAffiliation attribute.

For example, we have one IdP that handles multiple universities.

We have the following scopes: unt.edu<http://unt.edu>, untdallas.edu, unthsc.edu.

Our eduPersonScopedAffiliation attribute may return values like the following:

student at unt.edu<mailto:student at unt.edu>
staff at untdallas.edu<mailto:staff at untdallas.edu>
staff at unthsc.edu<mailto:staff at unthsc.edu>
faculty at untdallas.edu<mailto:faculty at untdallas.edu>

The "Scope" XML element (which may be repeated multiple times) in the extensions section of the IdP metadata lists scopes for which the IdP is authoritative. In other words, it says which scopes are owned by the IdP.

If the IdP is authoritative for scopes unt.edu<http://unt.edu>, unthsc.edu, and untdallas.edu, but sends an eduPersonScopedAffiliation value of student at mit.edu, that is clearly wrong and the SP should ignore the incorrectly scoped value. The Shibboleth SP does ignore incorrectly scoped values.

I hope that helps to explain the concept of scopes.

Yancey Yeargan
University of North Texas System

On Mar 5, 2020, at 8:48 AM, Mohamed Lrhazi <lrhazi at cua.edu<mailto:lrhazi at cua.edu>> wrote:


I have setup our IdP for a couple of years now, and have been happily adding new SPs every now and then, and everyone is happy :)

Today am trying to add an SP and they complain that our metadata has this example section in it:

            <shibmd:Scope regexp="false">example.org<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.org%2F&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7Cc6e801e3b87d4462c9a408d7c1146450%7C70de199207c6480fa318a1afcba03983%7C0%7C1%7C637190165637626301&sdata=dRHWQky7svlJPl0E8xBX%2FIT71e37kiCsaHx%2BUIPJylM%3D&reserved=0></shibmd:Scope>


I obviously left the example from the sample metadata file... and never got to learn about scopes at all....

Anyone has a link to some high level document I could read to figure what would the implications be if I were to: try and fix this...  Can I just remove the Extensions/ Scope element from my IdP metadata, or should I change the scope to be one of our DNS domain names, what should my scope be? and do I need to have one at all? I guess maybe mine has been example.org<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.org%2F&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7Cc6e801e3b87d4462c9a408d7c1146450%7C70de199207c6480fa318a1afcba03983%7C0%7C1%7C637190165637636291&sdata=Phi%2BIenKc4iv36KKW6Eb1YytDcaypa3vYi3HaLLl15s%3D&reserved=0> all these years! is that bad? :)

Thanks a lot,

For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7Cc6e801e3b87d4462c9a408d7c1146450%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C637190165637656279&sdata=lyqPKmG5HH8%2F3JF9WmKqYSyECS0nTdoU6P69wO6LDcw%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200305/05f4cd11/attachment.html>

More information about the users mailing list