I don't think you can safely infer scope from entityID. In Shibboleth, all IdP scopes are called out in SAML metadata. The SP consumes the metadata and says to itself "okay, I'll recognize any of the scopes you've listed here, it doesn't matter to me which one you use for a particular response." And here is my doubt. You mean that *IdP's* metadata contains the scopes which are valid for it? SP process the metadata and later checks if assertion from this particular IdP has one of the scopes defined there? If so what is the sense of such check, as IdP can put any scope in it's
Hi Tom, Thank you for the comprehensive answer. Tom Scavo wrote: metadata (also conflicting with scopes of other IdP)? Probably after taking the Internet2 lecture on the scopes I wouldn't ask this question ;) Except of this question the rest is now clear for me. Best regards Krzysztof