> Those are the same "scopes" (which typically match DNS domains) that you > use for the eduPersonScopedAffiliation attribute. And more importantly scoped user identifiers, which are much more common and critical to avoiding impersonation bugs in cloud applications. -- Scott