[EXT] Scopes in IdP metadata

Mohamed Lrhazi lrhazi at cua.edu
Thu Mar 5 13:21:16 EST 2020 

That's great! Thank you so much guys.

On Thu, Mar 5, 2020 at 10:48 AM Yeargan, Yancey <
Yancey.Yeargan at untsystem.edu> wrote:

> Those are the same "scopes" (which typically match DNS domains) that you
> use for the eduPersonScopedAffiliation attribute.
>
> For example, we have one IdP that handles multiple universities.
>
> We have the following scopes: unt.edu, untdallas.edu, unthsc.edu.
>
> Our eduPersonScopedAffiliation attribute may return values like the
> following:
>
> student at unt.edu
> staff at untdallas.edu
> staff at unthsc.edu
> faculty at untdallas.edu
>
>
> The "Scope" XML element (which may be repeated multiple times) in the
> extensions section of the IdP metadata lists scopes for which the IdP is
> authoritative. In other words, it says which scopes are owned by the IdP.
>
> If the IdP is authoritative for scopes unt.edu, unthsc.edu, and
> untdallas.edu, but sends an eduPersonScopedAffiliation value of
> student at mit.edu, that is clearly wrong and the SP should ignore the
> incorrectly scoped value. The Shibboleth SP does ignore incorrectly scoped
> values.
>
> I hope that helps to explain the concept of scopes.
>
> Yancey Yeargan
> University of North Texas System
>
>
> On Mar 5, 2020, at 8:48 AM, Mohamed Lrhazi <lrhazi at cua.edu> wrote:
>
> Hello,
>
> I have setup our IdP for a couple of years now, and have been happily
> adding new SPs every now and then, and everyone is happy :)
>
> Today am trying to add an SP and they complain that our metadata has this
> example section in it:
>
> <EntityDescriptor....
> <IDPSSODescriptor...
>  <Extensions>
>             <shibmd:Scope regexp="false">example.org
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.org%2F&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7Cc6e801e3b87d4462c9a408d7c1146450%7C70de199207c6480fa318a1afcba03983%7C0%7C1%7C637190165637626301&sdata=dRHWQky7svlJPl0E8xBX%2FIT71e37kiCsaHx%2BUIPJylM%3D&reserved=0>
> </shibmd:Scope>
>
> </Extensions>
> ...
>
> I obviously left the example from the sample metadata file... and never
> got to learn about scopes at all....
>
> Anyone has a link to some high level document I could read to figure what
> would the implications be if I were to: try and fix this...  Can I just
> remove the Extensions/ Scope element from my IdP metadata, or should I
> change the scope to be one of our DNS domain names, what should my scope
> be? and do I need to have one at all? I guess maybe mine has been
> example.org
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.org%2F&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7Cc6e801e3b87d4462c9a408d7c1146450%7C70de199207c6480fa318a1afcba03983%7C0%7C1%7C637190165637636291&sdata=Phi%2BIenKc4iv36KKW6Eb1YytDcaypa3vYi3HaLLl15s%3D&reserved=0>
> all these years! is that bad? :)
>
> Thanks a lot,
> Mohamed.
>
>
>
>
> --
> For Consortium Member technical support, see
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7Cc6e801e3b87d4462c9a408d7c1146450%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C637190165637656279&sdata=lyqPKmG5HH8%2F3JF9WmKqYSyECS0nTdoU6P69wO6LDcw%3D&reserved=0
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200305/ff8d381e/attachment.html>

More information about the users mailing list