The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.
ScopeMatchesShibMDScope
Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd
Overview
The ScopeMatchesShibMDScope
type is a Matcher which filters results based on <shibmd:Scope>
elements contained in the <md:Extensions>
element of the issuer's <md:EntityDescriptor>
or <md:RoleDescriptor>
. The resulting set of attribute values will only contain:
Scoped Attribute values (that is, of type ScopedStringAttributeValue)
Values whose scope matches one of the values specified in a
<shibmd:Scope>
element within the issuer's<md:EntityDescriptor>
or appropriate<md:RoleDescriptor>
.
This important filter allows you to remove values issued by sources which do not have the right to issue them. Issuers whose metadata contains no extension will not be permitted to assert any scoped values (i.e., all values will be filtered out).
See ShibMetaExt V1.0 or https://wiki.oasis-open.org/security/SAMLSubjectIDAttr for more details on the metadata extension itself.
Example
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ScopeMatchesShibMDScope" />
</AttributeRule>