Whitelisting SAML attribute scopes for IDP


I’m wondering whether the Component Space library does any validation/verification of the scope of SAML attributes that are sent from an IDP or whether this is intended to be done separately?

I’m referring to the scopes that are mentioned in an IDP’s shibmd:Scope tags in the metadata.

As part of registering our SP for Open Athens they have asked us to whitelist some scopes for one of their test IDPs and it wasn’t clear how to achieve this with Component Space.

We don’t validate SAML attribute values. Therefore, by default, all scopes are whitelisted.

Scopes were introduced relatively recently through the SAML V2.0 Subject Identifier Attributes Profile Version specification and the Shibboleth SAML metadata extensions. We don’t believe their use is widespread.

At this stage, validating of scopes is the responsibility of the application. We simply return the complete SAML attribute value (eg idm123456789@example.com) to the application.

Thank you for confirming

You’re welcome.

One follow-up question which is related to scopes. When we import metadata using ‘ImportUrlAsync’, the IDP’s metadata is parsed into an ComponentSpace.Saml2.Configuration.PartnerIdentityProviderConfiguration object. Where can I find the data from the shibmd:Scope tags within these objects?

In order to do the scope verification I would need to store the list of valid scopes for each IDP as part of their metadata that we save into the DB so that it can be retrieved later and used during the scope verification process.

The shibmd:Scope is a Shibboleth extension and not part of the SAML specification. We don’t include it in the PartnerIdentityProviderConfiguration when importing the metadata. You would have to retrieve this information directly from the metadata.

This would mean the application would download the metadata so it can access the scope. You would then call the IMetadataToConfiguration.Import(XmlElement) or IMetadataToConfiguration.Import(EntityDescriptor) method instead of IMetadataToConfiguration.ImportUrlAsync to import the SAML configuration.