Scoped Attributes Filtering
This document describes the FilterScopes attribute filter in the saml module.
This filter allows a Service Provider to make sure the scopes included in the values
of certain attributes correspond to what the Identity Provider declares in its
metadata. If the IdP includes a list of scopes in the metadata, only those scopes will
be allowed. On the other hand, if no scopes are declared or the scope is not included
in the list of declared scopes, it will be matched against the domain used by the
endpoint. This means the
scope will be
allowed in attributes received from an IdP whose
is located on the
top domain or any subdomain of that. Such scope will
be rejected though if the match with the IdP's endpoint does not happen at the top
level, like for example with
If you are configuring the metadata of an IdP manually, remember to add an array
to it with the key
, containing the list of scopes expected from that entity.
This filter can be configured in the
file, inside the
array of the corresponding SAML authentication source in use.
Note that this filter can only be used with SAML authentication sources .
Here are the options available for the filter:
- An array containing a list of attributes that are scoped and therefore should be evaluated. Defaults to eduPersonPrincipalName and eduPersonScopedAffiliation .
'authproc' => [ 90 => [ 'class' => 'saml:FilterScopes', ], [,
as scoped attributes:
'authproc' => [ 90 => [ 'class' => 'saml:FilterScopes', 'attributes' => [ 'mail', 'eduPersonPrincipalName', ], ], ],
Specify the same attributes in OID format:
'authproc' => [ 90 => [ 'class' => 'saml:FilterScopes', 'attributes' => [ 'urn:oid:0.9.2342.19200300.100.1.3', 'urn:oid:184.108.40.206.4.1.59220.127.116.11.6', ], ], ],