Overview

The Scope (basic:AttributeScopeString prior to V3.2) type compares the scope portion of scoped attributes values against the supplied string.  

Confusingly, the Scope type can be a Matcher or a PolicyRequirement.

Schema Name

The Scope type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated basic:AttributeScopeString type is defined in the urn:mace:shibboleth:2.0:afp:mf:basic namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd

Attributes

Three attributes may be specified

NameTypeDefaultDescription
attributeID 
StringnoneIf this is present, then this is a PolicyRule returning true if the matching attribute contains a value with the supplied scope.
If this is not present, then this is a Matcher returning that value if it is present amongst the values, and the empty set otherwise.
value
StringrequiredThe value to match against
ignoreCase
BooleantrueWhether the matching is case insensitive

Child Elements

None

Examples

<PolicyRequirementRule xsi:type="Scope" value="university.edu" attributeID="epsa"/>

Apply this rule if the attribute "epsa" contains a value with scope "university.edu" 

<AttributeRule attributeID="epsa">
   <PermitValueRule xsi:type="Scope" value="university.edu" ignoreCase="true" />
</AttributeRule>

If any scoped value of the attribute "epsa" has the scope "university.edu" then add it to the permitted values to be release for "uid"

<PolicyRequirementRule xsi:type="Scope" value="university.edu"/>

Apply this rule if any attribute contains a scoped value with scope "university.edu".

<AttributeRule attributeID="email">
   <PermitValueRule xsi:type="basic:Scope" value="university.edu" attributeID="epsa"/>
</AttributeRule>

If the attribute "epsa" contains a scoped value with scope "university.edu" then release all values of "email" .