ScopeMatchesShibMDScope
- Scott Cantor
Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd
Overview
The ScopeMatchesShibMDScope type is a Matcher which filters results based on <shibmd:Scope> elements contained in the <md:Extensions> element of the issuer's <md:EntityDescriptor> or <md:RoleDescriptor> . The resulting set of attribute values will only contain:
Scoped Attribute values (that is, of type ScopedStringAttributeValue)
Values whose scope matches one of the values specified in a
<shibmd:Scope>element within the issuer's<md:EntityDescriptor>or appropriate<md:RoleDescriptor>.
This important filter allows you to remove values issued by sources which do not have the right to issue them. Issuers whose metadata contains no extension will not be permitted to assert any scoped values (i.e., all values will be filtered out).
See ShibMetaExt V1.0 or https://wiki.oasis-open.org/security/SAMLSubjectIDAttr for more details on the metadata extension itself.
Example
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ScopeMatchesShibMDScope" />
</AttributeRule>