Request option: shibmd:scope:0:unknownonly

[cdbesten]

When you have an IdP where shibmd:scope can not be applied, we want to limit schacHomeOrganization as much a possible.

The request would be to create a reverse filter on the value of schacHomeOrganization. Only allow a value which is not scoped in any of the other connected IdPs.

[tvdijen]

This request stems from the same discussion I had with @thijskh on slack earlier. When setting the shibmd:scope, multiple attributes are checked for a scope, but in my environment there are some differences (i.e. principalName and/or email address do not necessarily follow the homeOrganization scope).

My suggestion to Thijs was to make the attributes that are checked when shibmd:scope is set, are configurable using a flag in the attributes.json file.

[thijskh]

There's a feature in Engineblock that you can set the field coin:schachomeorganization for an IdP A, say to example.gov. This does (obviously, as it's Engineblock...) two things:

• It sets the value of the released schacHomeOrganization of this IdP statically to example.gov on outgoing assertions, regardless of the input attribute value.
• It makes this value reserved, i.e. other IdPs cannot deliver this schacHomeOrganization anymore, it's checked that incoming SchacHomeOrganization of an IdP B is not listed in coin:schachomeorganization for any other IdP.

We do not use this feature currently, so have no real world evidence of doing this. It's just what the feature's supposed to do. Does this feature help you with your use case?

[tvdijen]

Nope, IdP's can release multiple home-orgs, and that's where we want to use the shibmd:scope feature.
The issue with that is that it validates more than just the homeOrg-attribute (and i.e. our principalName doesn't match the scope).
It would work if shibmd:scope would only validate the homeOrg and (idk fictional) shibmd:extendedValidation would check the rest.. We don't care about that 'rest'.