Subject Re: Scope spoofing - Scoping Policy Framework?
From "Cantor, Scott" <cantor.2@xxxxxxx>
Date Fri, 13 Nov 2015 15:10:41 +0000

On 11/13/15, 8:55 AM, "Kristof Bajnok" <bajnokk@xxxxxxx> wrote:

>On 2015-11-11 14:29, Kristof Bajnok wrote:
>> By scopes I mean the use of the proprietary shibmd:Scope metadata
>> extension, because both Shibboleth and SimpleSAMLphp SPs are able to
>> verify scoped attribute values with metadata. 
>Peter pointed out that SimpleSAML SP hadn't been capable of that, thus
>we polished our old code and did this:
>It also handles schacHomeOrganization.

I had wondered, I hadn't thought anything but Shibboleth supported this (and of course it is and always has been a proprietary extension).

Does your module also filter SPNameQualifier on a NameID (persistent particular of course)? That would also be advisable.

I guess my main comment is just to be cognizant of the fact that nothing *else* supports this (or likely ever will). We weren't planning on proposing this be included in the implementation profile work going on within InCommon, given the proprietary nature of it. If people feel differently, let us know.

-- Scott