Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Attributescope filter module

Build Status

This module ensures that scoped attributes (such as eduPersonPrincipalName) have the right scopes defined in the entity metadata.

It removes values

  • that should be scoped (see attributesWithScope below) but are not;
  • whose scope does not match shibmd:Scope element in the metadata.

Additionally, it is also capable to handle 'scope attributes' such as schacHomeOrganization that should be equivalent to shibmd:Scope element in the metadata.

Notes and limitations

  • Regular expressions in shibmd:Scope are not supported.
  • It is recommended to run this filter after oid2name. Please note that attribute names in the module configuration are case sensitive and must match the names in attributemaps.
  • 'scope Attributes' must be singled valued, otherwise they are removed.
  • Specifying an attribute in multiple configuration options is likely a user configuration issue. A value will only pass if it conforms to the validation rule for each configured option.

Installing the module

You can install the module with composer:

composer require niif/simplesamlphp-module-attributescope

Example configuration


   authproc.sp = array(
        // 49 => array('class' => 'core:AttributeMap', 'oid2name'),
        // Verify scoped attributes with the metadata:
        50 => array(
            'class' => 'attributescope:FilterAttributes',
            // Default attributes with scope attributes.
            // 'attributesWithScope' => array('eduPersonPrincipalName', 'eduPersonScopedAffiliation'),
            // Default scopeAttribute
            // 'scopeAttributes' => array('schacHomeOrganization'),

Configurations Options

  • attributesWithScope an array of attributes that should be scoped and should match the scope from the metadata
  • attributesWithScopeSuffix an array of attributes that have the scope as a suffix. For example, and are both suffixed with Useful when an SP is reliant on mail attribute to identify users and the IdP users various subdomains for mail.
  • scopeAttributes an array of attributes that should exactly match the scope from the metadata
  • ignoreCheckForEntities an array of IdP entity IDs to skip scope checking for. Useful when an IdP is a SAML proxy and is trusted to assert any scope.
  • ignoreCase ignore the case of the scoped attribute. The new 'Subject Identifier Attributes' profile stipulates that comparison should be case insensitive. Default is false, for backwards compatability.


Runing tests



Filter to remove attribute values which are not properly scoped.






No packages published

Contributors 4