The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

ScopeConfiguration

Overview

The Scope (basic:AttributeScopeString prior to V3.2) type compares the scope portion of scoped attributes values against the supplied string.  

Confusingly, the Scope type can be a Matcher or a PolicyRequirement.

  • If no attributeID attribute is specified then it is a Matcher (returning that value if it is present amongst the values' scopes, and the empty set otherwise)
  • If an attributeID attribute is specified then it is a PolicyRule (returning true if that that is present amongst the values' scopes for the specified attribute).

Schema Name

The Scope type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated basic:AttributeScopeString type is defined in the urn:mace:shibboleth:2.0:afp:mf:basic namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd

Attributes

Three attributes may be specified

NameTypeDefaultDescription
attributeID 
StringnoneIf this is present, then this is a PolicyRule returning true if the matching attribute contains a value with the supplied scope.
If this is not present, then this is a Matcher returning that value if it is present amongst the values, and the empty set otherwise.
value
StringrequiredThe value to match against
ignoreCase
BooleantrueWhether the matching is case insensitive

Child Elements

None

Examples

Simple Profile Policy
<PolicyRequirementRule xsi:type="Scope" value="university.edu" attributeID="epsa"/>

Apply this rule if the attribute "epsa" contains a value with scope "university.edu" 

Simple Matcher
<AttributeRule attributeID="epsa">
   <PermitValueRule xsi:type="Scope" value="university.edu" ignoreCase="true" />
</AttributeRule>

If any scoped value of the attribute "epsa" has the scope "university.edu" then add it to the permitted values to be release for "uid"

Compound PolicyRule (deprecated)
<PolicyRequirementRule xsi:type="Scope" value="university.edu"/>

Apply this rule if any attribute contains a scoped value with scope "university.edu".

Compound Matcher (deprecated)
<AttributeRule attributeID="email">
   <PermitValueRule xsi:type="basic:Scope" value="university.edu" attributeID="epsa"/>
</AttributeRule>

If the attribute "epsa" contains a scoped value with scope "university.edu" then release all values of "email" .