Scope checking
Keystone checks attributes that should have a scope to make sure that:
there actually is a scope, and
the scope is in the list declared in the IdP’s metadata
If either condition is not met, then the attribute is not passed on to your application.
These are the attributes that get checked:
Attribute ‘friendly’ name | SAML attribute name | Example |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The first three are the most likely to be sent. EduPersonPrincipalName isn’t an email address either.
I'm not sure what a scope is though...
Some attributes are 'scoped', which means they have an organisation identifier included. This makes them look a bit like an email address - e.g. member@example.com - it is the example.com bit that is the scope. It is, strictly speaking, the scope(s) you should authorise on rather than the entiyID.