Skip to main content
Skip table of contents

Scope matching

Keystone checks attributes that should have a scope to make sure that:   

  • there actually is a scope, and

  • the scope is in the list declared in the IdP’s metadata 

If either condition is not met, then the attribute is not passed on to your application. 

These are the attributes that get checked:

Attribute ‘friendly’ name

SAML attribute name

Example

eduPersonScopedAffiliation 

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 

member@example.com

eduPersonPrincipalName 

urn:oid:1.3.6.1.4.1.5923.1.1.1.6 

bob.roberts@example.com

Pairwise-ID 

urn:oasis:names:tc:SAML:attribute:pairwise-id 

OWI3YCR14MOJA8OGKJEN5TGWN=@example.com

eduPersonUniqueId 

urn:oid:1.3.6.1.4.1.5923.1.1.1.13 

dlkaghruh788ag7ro8agr@example.com

Subject-ID 

urn:oasis:names:tc:SAML:attribute:subject-id 

fh834r-8yPFHYEw@example.com

The first three are the most likely to be sent. Even though the scoped format may resemble an email address (especially EduPersonPrincipalName), they shouldn’t be treated as such.

What if I need to turn this off or make adjustments?

Our scope check is on or off for all, and you can toggle that in the SAML section of your connection.

scopeCheckToggle.png

If you need to fine tune things to allow for specific customer needs, there’s a rule you can turn on that will make the IdPs scoped values available in a claim so that you can do your own checks instead of ours.

scopeRule.png

My friend isn’t sure what a scope is...

With SAML and similar, it’s scope as in the belonging to, purview of, sphere, breadth, etc, of an organisation.

The attributes that include this scope are termed ‘scoped’, and what it looks like is a bit like an email address - e.g. member@example.com. In this example, it is the example.com bit that is the scope.

It is, strictly speaking, the scope(s) you should authorise on rather than the entiyID since the scope is the organisation identifier (the entityID is just the identifier of the metadata).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.