Refeds


Subject Re: Scope spoofing - Scoping Policy Framework?
From Leif Johansson <leifj@xxxxxxxx>
Date Mon, 16 Nov 2015 15:51:08 +0100

On 2015-11-13 16:10, Cantor, Scott wrote:
> On 11/13/15, 8:55 AM, "Kristof Bajnok" <bajnokk@xxxxxxx> wrote:
> 
> 
> 
>> On 2015-11-11 14:29, Kristof Bajnok wrote:
>>> By scopes I mean the use of the proprietary shibmd:Scope metadata
>>> extension, because both Shibboleth and SimpleSAMLphp SPs are able to
>>> verify scoped attribute values with metadata. 
>>
>> Peter pointed out that SimpleSAML SP hadn't been capable of that, thus
>> we polished our old code and did this:
>> https://github.com/NIIF/simplesamlphp-module-attributescope
>>
>> It also handles schacHomeOrganization.
> 
> I had wondered, I hadn't thought anything but Shibboleth supported this (and of course it is and always has been a proprietary extension).
> 
> Does your module also filter SPNameQualifier on a NameID (persistent particular of course)? That would also be advisable.
> 
> I guess my main comment is just to be cognizant of the fact that nothing *else* supports this (or likely ever will). We weren't planning on proposing this be included in the implementation profile work going on within InCommon, given the proprietary nature of it. If people feel differently, let us know.
> 
> -- Scott
> 

The fact that "only" shibboleth supports something in SAML is like
saying only windows supports office - which used to be true! That
doesn't mean it is a minor proprietary standard.

I do think we should all take name spoofing seriously and add scope
processing to the minimal baseline.

	Cheers Leif