Metadata is not currently self-asserted. So it's not the IdP the defines its metadata. It's the federation that is ultimately responsible for it. So, you have a third-party there vouching that the scope is appropriate for the IdP. So, if you trust that third-party you're good. Krzysztof Benedyczak wrote:
Hi Tom,
Thank you for the comprehensive answer.
I don't think you can safely infer scope from entityID. In Shibboleth, all IdP scopes are called out in SAML metadata. The SP consumes the metadata and says to itself "okay, I'll recognize any of the scopes you've listed here, it doesn't matter to me which one you use for a particular response." And here is my doubt. You mean that *IdP's* metadata contains the scopes which are valid for it? SP process the metadata and later checks if assertion from this particular IdP has one of the scopes defined there? If so what is the sense of such check, as IdP can put any scope in it's
Tom Scavo wrote: metadata (also conflicting with scopes of other IdP)?
Probably after taking the Internet2 lecture on the scopes I wouldn't ask this question ;)
Except of this question the rest is now clear for me.
Best regards Krzysztof -- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- SWITCH Serving Swiss Universities -------------------------- Chad La Joie, Software Engineer, Security Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland phone +41 44 268 15 75, fax +41 44 268 15 68 chad.lajoie@switch.ch, http://www.switch.ch