Overview

The Scope (basic:AttributeScopeString prior to V3.2) type compares the scope portion of scoped attributes values against the supplied string.

Confusingly, the Scope type can be a Matcher or a PolicyRequirement.

If no attributeID attribute is specified then it is a Matcher (returning that value if it is present amongst the values' scopes, and the empty set otherwise)
If an attributeID attribute is specified then it is a PolicyRule (returning true if that that is present amongst the values' scopes for the specified attribute).

Schema Name

The Scope type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated basic:AttributeScopeString type is defined in the urn:mace:shibboleth:2.0:afp:mf:basic namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd

Three attributes may be specified

Name	Type	Default	Description
attributeID	String	none	If this is present, then this is a PolicyRule returning true if the matching attribute contains a value with the supplied scope. If this is not present, then this is a Matcher returning that value if it is present amongst the values, and the empty set otherwise.
value	String	required	The value to match against
ignoreCase	Boolean	`true`	Whether the matching is case insensitive

None

Simple Profile Policy

<PolicyRequirementRule xsi:type="Scope" value="university.edu" attributeID="epsa"/>

Apply this rule if the attribute "epsa" contains a value with scope "university.edu"

Simple Matcher

<AttributeRule attributeID="epsa">
   <PermitValueRule xsi:type="Scope" value="university.edu" ignoreCase="true" />
</AttributeRule>

If any scoped value of the attribute "epsa" has the scope "university.edu" then add it to the permitted values to be release for "uid"

Compound PolicyRule (deprecated)

<PolicyRequirementRule xsi:type="Scope" value="university.edu"/>

Apply this rule if any attribute contains a scoped value with scope "university.edu".

Compound Matcher (deprecated)

<AttributeRule attributeID="email">
   <PermitValueRule xsi:type="basic:Scope" value="university.edu" attributeID="epsa"/>
</AttributeRule>

If the attribute "epsa" contains a scoped value with scope "university.edu" then release all values of "email" .