Table of Contents

SAML Scope and Scoped Attributes

This document explains how to configure and declare attribute scopes in PhenixID Authentication Services (PAS) for SAML Identity Providers (IdPs) and how Service Providers (SPs) interpret these scoped attributes. Scoped attributes add a domain-based context to attribute values, enabling more precise identity management within federated environments.

Overview

SAML Scope When a scope is declared in an IdP’s metadata, it tells SPs that certain attributes associated with the IdP are valid only within certain domain boundaries. For example, a university’s IdP might define its scope as university.edu, allowing SPs to understand that attributes scoped to this domain (such as user affiliations or roles) are specific to that university.

A scoped attribute will have the following value:

<attribute-value>@<scope>

Configuration of PAS

A typical configuration of a scoped IdP could look like the following. A comma separated string defines several scopes.

A typical configuration defines a SAML Identity Provider (IdP) in PhenixID, focusing on scoped attributes:

{
    "id" : "69b6c4c6-33af-410e-b8e4-6e71e8bb77ca",
    "alias" : "",
    "name" : "SAML IDP",
    "keystore" : "8cc77bba-b4d2-472a-bf89-b17cd343e7bb",
    "entityID" : "myentityid",
    "requireSigned" : "false",
    "postSSOURL" : "",
    "orgURL" : "https://www.phenixid.se",
    "orgDisplayName" : "PhenixID Labs",
    "orgName" : "PhenixID Labs",
    "assertionProfiles": [{
      "id": "my-default-assertion-profile",
      "defaultSPID": "myapps",
      "use_if_expr": "true",
      "nameIDAttribute": "sAMAccountName",
      "enableScopedAttributes" : "true",
      "scope" : "phenixid.se",
      "additionalAttributes": [
        {
          "name": "urn:oid:1.2.752.201.3.1",
          "friendlyName": "orgAffiliation",
          "itemAttribute": "someprop"
        }
  ]
}
    ]
  }
  • Scope and Scoped Attributes:
    • "enableScopedAttributes": "true" and "scope": "phenixid.se" ensure attributes like orgAffiliation are tagged with the phenixid.se domain, formatted as <value>@phenixid.se.
    • This scoped format helps Service Providers (SPs) verify that attributes originate from the trusted domain.
Note

Note that the scope for the Assertion Profile must be exactly one scope.

Which attributes will be scoped?

Currently, the only attributes which will be distributed as scoped are the ones designed to be scoped by multiple integrations:

urn:oid:1.2.752.201.3.1 (orgAffiliation)

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 (eduPersonScopedAffiliation)

urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName)

urn:oid:1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId)

urn:oasis:names:tc:SAML:attribute:subject-id

urn:oasis:names:tc:SAML:attribute:pairwise-id

SAML SP Scoped Attribute Validation

If a PAS SAML Service Provider (AssertionConsumer) encounters any of the specified attributes without an associated scope, those attributes will be discarded. Additionally, if an attribute includes a scope not listed in the IdP’s metadata, it will also be discarded. To enforce scope validation, the strictScopedAttributeValidation parameter must be set to true in the AssertionConsumer configuration. Here is an example:

 {
    "name" : "AssertionConsumer",
    "config" : {
        "clock_skew_minutes":"0",
        "addAttributesTo":"item",
        "strictScopedAttributeValidation":"true"
    }
  }
SAML 2