diff --git a/dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java b/dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java
index 2c70b8de56e3..d1e773edc41f 100644
--- a/dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java
+++ b/dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java
@@ -226,6 +226,8 @@ public int[] getSpecialGroups(Context context, HttpServletRequest request)
         java.util.Set groups = new java.util.HashSet();
         String roleHeader = ConfigurationManager
                 .getProperty("authentication.shib.role-header");
+        boolean roleHeader_ignoreScope = ConfigurationManager
+                .getBooleanProperty("authentication.shib.role-header.ignore-scope");
         if (roleHeader == null || roleHeader.trim().length() == 0)
             roleHeader = "Shib-EP-UnscopedAffiliation"; // fall back to default
         String affiliations = request.getHeader(roleHeader);
@@ -251,6 +253,13 @@ public int[] getSpecialGroups(Context context, HttpServletRequest request)
             {
                 String affiliation = st.nextToken().trim();
 
+                // strip scope if present and roleHeader_ignoreScope
+                if (roleHeader_ignoreScope) 
+                {
+                        int index = affiliation.indexOf("@");
+                        if (index != -1) affiliation = affiliation.substring(0,index);
+                }
+
                 // perform mapping here if necessary
                 String groupLabels = ConfigurationManager
                         .getProperty("authentication.shib.role." + affiliation);
diff --git a/dspace/config/dspace.cfg b/dspace/config/dspace.cfg
index 86cb2dde6326..caac2152b374 100644
--- a/dspace/config/dspace.cfg
+++ b/dspace/config/dspace.cfg
@@ -318,13 +318,22 @@ authentication.shib.email-use-tomcat-remote-user = true
 # if the IdP provides sufficient info (and user not exists in DSpace)
 authentication.shib.autoregister = true
 
-# this header here specifies which attribute that is responsible
-# for providing user's roles to DSpace. When not specified, it is
-# defaulted to 'Shib-EP-UnscopedAffiliation'. The value is specified
-# in AAP.xml (Shib 1.3.x) or attribute-filter.xml (Shib 2.x).
-# The value is CASE-Sensitive. The values provided in this
-# header are separated by semi-colon or comma.
+# these two header here specify which attribute that is responsible
+# for providing user's roles to DSpace and unscope the attributes if needed.
+# When not specified, it is defaulted to 'Shib-EP-UnscopedAffiliation', and
+# ignore-scope is defaulted to 'false'.
+# The value is specified in AAP.xml (Shib 1.3.x) or 
+# attribute-filter.xml (Shib 2.x). The value is CASE-Sensitive.
+# The values provided in this header are separated by semi-colon or comma.
+# If your sp only provides scoped role header, you need to set 
+# authentication.shib.role-header.ignore-Scope as true.
+# for example if you only get Shib-EP-ScopedAffiliation instead of Shib-EP-ScopedAffiliation,
+# you have to  make your setting as:
+# authentication.shib.role-header = Shib-EP-ScopedAffiliation
+# authentication.shib.role-header.ignore-scope = true
+
 # authentication.shib.role-header = Shib-EP-UnscopedAffiliation
+authentication.shib.role-header.ignore-scope = false
 
 # when user is fully authN on IdP but would not like to release
 # his/her roles to DSpace (for privacy reason?), what should be