/
ScopeMatchesShibMDScope

ScopeMatchesShibMDScope

Owned by Scott Cantor
Last updated: Nov 14, 2023
1 min read

Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd

Overview

The ScopeMatchesShibMDScope type is a Matcher which filters results based on <shibmd:Scope> elements contained in the <md:Extensions> element of the issuer's <md:EntityDescriptor> or <md:RoleDescriptor> . The resulting set of attribute values will only contain:

  • Scoped Attribute values (that is, of type ScopedStringAttributeValue)

  • Values whose scope matches one of the values specified in a <shibmd:Scope> element within the issuer's <md:EntityDescriptor> or appropriate <md:RoleDescriptor>.

This important filter allows you to remove values issued by sources which do not have the right to issue them. Issuers whose metadata contains no extension will not be permitted to assert any scoped values (i.e., all values will be filtered out).

See ShibMetaExt V1.0 or https://wiki.oasis-open.org/security/SAMLSubjectIDAttr for more details on the metadata extension itself.

Example

<AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ScopeMatchesShibMDScope" /> </AttributeRule>

 

Related content

ValueMatchesShibMDScope
ValueMatchesShibMDScope
Identity Provider 5
More like this
AttributeFilterConfiguration
AttributeFilterConfiguration
Identity Provider 5
Read with this
ScopeMatchesShibMDScope
ScopeMatchesShibMDScope
Identity Provider 4
More like this
ScopeConfiguration
ScopeConfiguration
Identity Provider 5
Read with this
ValueMatchesShibMDScope
ValueMatchesShibMDScope
Identity Provider 4
More like this
ScriptConfiguration
ScriptConfiguration
Identity Provider 5
Read with this