/
ScopeConfiguration

The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

ScopeConfiguration

Apr 10, 2019

Overview

The Scope (basic:AttributeScopeString prior to V3.2) type compares the scope portion of scoped attributes values against the supplied string.  

Confusingly, the Scope type can be a Matcher or a PolicyRequirement.

  • If no attributeID attribute is specified then it is a Matcher (returning that value if it is present amongst the values' scopes, and the empty set otherwise)

  • If an attributeID attribute is specified then it is a PolicyRule (returning true if that that is present amongst the values' scopes for the specified attribute).

Schema Name

The Scope type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated basic:AttributeScopeString type is defined in the urn:mace:shibboleth:2.0:afp:mf:basic namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd

Attributes

Three attributes may be specified

Name

Type

Default

Description

Name

Type

Default

Description

attributeID 

String

none

If this is present, then this is a PolicyRule returning true if the matching attribute contains a value with the supplied scope.
If this is not present, then this is a Matcher returning that value if it is present amongst the values, and the empty set otherwise.

value

String

required

The value to match against

ignoreCase

Boolean

true

Whether the matching is case insensitive

Child Elements

None

Examples

Simple Profile Policy
<PolicyRequirementRule xsi:type="Scope" value="university.edu" attributeID="epsa"/>

Apply this rule if the attribute "epsa" contains a value with scope "university.edu" 

Simple Matcher
<AttributeRule attributeID="epsa"> <PermitValueRule xsi:type="Scope" value="university.edu" ignoreCase="true" /> </AttributeRule>

If any scoped value of the attribute "epsa" has the scope "university.edu" then add it to the permitted values to be release for "uid"

Compound PolicyRule (deprecated)
<PolicyRequirementRule xsi:type="Scope" value="university.edu"/>

Apply this rule if any attribute contains a scoped value with scope "university.edu".

Compound Matcher (deprecated)
<AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:Scope" value="university.edu" attributeID="epsa"/> </AttributeRule>

If the attribute "epsa" contains a scoped value with scope "university.edu" then release all values of "email" .