SAML Scope and Scoped Attributes

This document describes how to declare a scope for your SAML IdP and how to enable attribute scoping, as well as general information about how SAML SP will interpret scoped attributes. Requires PAS 4.7 or higher.

Overview

SAML Scope can be declared in the metadata of an IdP to show domains that the IdP have authority over and thus what scope some attributes can have. The AssertionProvider valve can then be configured to add scope to certain attributes.

A scoped attribute will have the following value: 

<myValue>@<myScope>

Configuration guide

A typical configuration of a scoped IdP could look like the following. A comma separated string defines several scopes.


SAML IDP:

<p>{
    "id" : "69b6c4c6-33af-410e-b8e4-6e71e8bb77ca",
    "alias" : "",
    "name" : "SAML IDP",
    "keystore" : "8cc77bba-b4d2-472a-bf89-b17cd343e7bb",
    "entityID" : "myentityid",
    "requireSigned" : "false",
    "postSSOURL" : "",
    "orgURL" : "https://www.phenixid.se",
    "orgDisplayName" : "PhenixID Labs",
    "orgName" : "PhenixID Labs",
    "scope" : "phenixid.se,otherdomainexample.org"
  }</p>
Click to copy

To provide scoped attributes, the AssertionProvider configuration is as follows:

<p>{
    "id" : "268953c5-bae2-41fc-bbfe-2db2fb58eaed",
    "name" : "AssertionProvider",
    "enabled" : "true",
    "config" : {
      "targetEntityID" : "myentityid",
      "nameIDAttribute" : "uid",
      "additionalAttributes" : "",
      "scope" : "phenixid.se",
      "enableScopedAttributes" : "true"
    },
    "created" : "2023-06-19T12:49:04.563Z"
  }</p>
Click to copy

Note that the scope for the AssertionProvider must be exactly one scope, and must match one of the declared scopes in the IdP configuration for the enitityId of the assertionprovider.

Which attributes will be scoped?

Currently, the only attributes which will be distributed as scoped are the ones designed to be scoped by multiple integrations: 

urn:oid:1.2.752.201.3.1 (orgAffiliation)
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 (eduPersonScopedAffiliation)
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName)
urn:oid:1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId)
urn:oasis:names:tc:SAML:attribute:subject-id
urn:oasis:names:tc:SAML:attribute:pairwise-id

SAML SP Scoped Attribute Validation

If a PAS SAML SP (AssertionConsumer) parses one of the attributes listed above, and they do not contain a scope, they will be discarded. If the attribute contains a scope that is not present in the IdP's metadata, it will be discarded.