Skip to Content.
Sympa Menu

metadata-support - [Metadata-Support] attribute scope in IDP metadata

Subject: InCommon metadata support

List archive

[Metadata-Support] attribute scope in IDP metadata

Chronological Thread 
  • From: Andrew Morgan <>
  • To:
  • Subject: [Metadata-Support] attribute scope in IDP metadata
  • Date: Fri, 14 Feb 2014 16:56:25 -0800 (PST)

I'm working through the details to submit my IDP's metadata to InCommon. In the Federation Manager, I have been looking at the IDP Metadata Wizard.

Do I have to use the Wizard or can I submit my Shibboleth idp-metadata.xml file directly somewhere?

The wizard auto-populates the Attribute Scope value with "", which is the same as I have configured in Shibboleth's idp-metadata.xml. If I am asserting that scope in my metadata, what happens if I release EPPN with the scope of a sub-domain? For example, will SPs accept my EPPN as ""? Must the scope of EPPN match the scope in my metadata?

The "Scope in Metadata" page at:


"After receiving a scoped attribute, some SP software can be
configured to compare the asserted scope to the scope value(s) in
metadata. The scoped attribute is accepted by such an SP if and only if
the asserted scope matches a scope value in metadata."

Unfortunately, our central identity usernames do not match the vanity email addresses assigned in the domain. In fact, there are clashes between usernames and email addresses (that are not the same person). We could still release EPPN as "", but it would not be a valid email address. I hope to work towards resolving these namespace issues in the future, but I need to publish our IDP metadata soon.

Any guidance you can provide is welcome!


Andy Morgan
Identity and Access Management
Oregon State University

Archive powered by MHonArc 2.6.16.

Top of Page