Subject Re: stable reference for Scope?
From Ian Young <ian@xxxxxxxxxx>
Date Fri, 5 Apr 2013 10:39:57 +0100

On 4 Apr 2013, at 16:09, Stefan Santesson <stefan@xxxxxxxxxxx> wrote:

> The Scope element is a string with an optional regexp attribute (boolean).
> The exact meaning of setting the regexp attribute to true or false seems
> missing. I can only guess that true means that the string holds a regular
> expression, but have no clue what the value of scope would be if regexp is
> false.

It's the literal scope value.  I have extended the text in this area; let me know if everything is clearer now.

> Also, how is the scope element associated with any attribute?

The service provider knows (through configuration) which attributes are to be treated as having scoped values.

> How is this used to limit certain values of certain SAML attributes from
> certain IdP or AA?

The SP looks at the Scope elements applicable to the role the attributes were issued from.  For example, if the attributes came through a back-channel communication with an IdP's AttributeAuthorityDescriptor, any Scope elements on that descriptor AND any on the parent EntityDescriptor would apply.

> The expression: "the scope component of each attribute value received" is
> unclear to me. Does this mean that SAML attribute's attribute value
> includes explicit scope information?

The way that the value and scope components of a scoped value are carried in SAML is defined in this document:

Section 2.3 describes the two different conventions used in SAML 1, and section 3.3 covers the much simpler situation in SAML 2.0.

Hope this helps,

	-- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature