ScopeFilter

This feature requires V5.2 or later of the IdP software.

Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

1 Overview
2 Reference
3 Examples
- 3.1 Add Scope element to metadata
- 3.2 Use of scripts

Overview

A filter of type Scope adds <shibmd:Scope> extension elements to SAML metadata in order to drive software behavior (primarily Attribute Filtering based on the ScopeMatchesShibMDScope rule).

This extension was crafted in the earliest days of the Shibboleth Project and was later standarized as part of the Subject identifier Attribute specification. Its function is to provide trusted input to the process of determining if certain attribute data should be accepted from a particular IdP to prevent impersonation attacks. It is a critical function that is missing from most (all?) commercial software.

It is typically applied to IdP metadata, so the most common use for this filter is when using SAML Proxy Authentication or when using the currently unreleased SP V4 software that is reliant on the IdP’s metadata and filtering services.

Sequences of <shibmd:Scope> elements are supplied as filter content. When a child element such as <Entity> or <ConditionRef> or <ConditionScript> evaluates to true, the elements are applied to the corresponding entities.

Filter order is important!

This filter changes the content of the metadata and so a filter of type Scope should appear after any SignatureValidationFilter in the overall MetadataProvider.

Position the NameIDFormat filter for efficiency

Deliberately position a Scope filter in the overall sequence of filters for optimal efficiency. In particular, a filter of type Scope should appear after the EntityRoleFilter since the latter effectively removes entities from the input.

Reference

Name	Type	Default	Description

Name	Type	Default	Description
removeExistingScopes	Boolean	false	Whether to remove any existing Scope extensions from the entity and any roles if touched by the filter (other entities and their roles will be untouched regardless of this setting)

Name	Description

Name	Description
<shibmd:Scope>	Content is the literal extension element to add to all entities which match any of the following <Entity> or <ConditionRef> elements.
<Entity>	The textual content is an EntityID. All preceding Scope elements are added to the matching entity.
<EntityRegex>	The textual content is a regular expression to match against the entityID. All preceding Scopes are added to the matching entities.
<ConditionRef>	The textual content is the Bean ID of a Predicate<EntityDescriptor>. All preceding Scopes are added to the entities for which this returns true.
<ConditionScript>	The content of this element is an inline or local script resource that implements Predicate<EntityDescriptor>. All preceding Scopes are added to the entities for which this returns true.

Examples

Note that the examples assume the shibmd prefix is bound in the document to the urn:mace:shibboleth:metadata:1.0 namespace URI.

The example will add the designated extension to the entity.

Add Scope element to metadata

<MetadataFilter xsi:type="Scope">
	<shibmd:Scope regexp="false">example.org</shibmd:Scope>
	<Entity>https://idp.example.org</Entity>
</MetadataFilter>

The following example is similar, but the specification of the entities to apply the Scope is handled with an inline script. Obviously the script isn't particularly useful but it demonstrates the syntax.

Use of scripts

<MetadataFilter xsi:type="Scope">
	<shibmd:Scope regexp="false">example.org</shibmd:Scope>
	<ConditionScript>
	    <Script>
	    <![CDATA[
		    input.getEntityID().equals("https://idp.example.org");
	    ]]>
	    </Script>
	</ConditionScript>
</MetadataFilter>