Syntax: DirectoryString (1.3.6.1.4.1.1466.115.121.1.15)
Equality: caseExactMatch
Format: <anyUri>@<scope>
<scope>: DNS domain that is associated with the issuing entity in metadata (shibmd:Scope)
<anyUri>: any valid URI.
Examples:
urn:mace:common-lib-terms@hexaa.eduid.hu
urn:geant:niif.hu:hexaa:projectfoo:bar@hexaa.eduid.hu
urn:elixir:foo:baz:bar@aa.scope.com
urn:x-perun:baz-collaboration.foo-service.bar-value@perun.org
https://cern.ch/unifocaltelescope/admin@perun.cz
urn:REGISTERED_NAMESPACE:[auth source]:{target}:{service}:{[entitlementName]}:[entitlementValue]@perun.org
Benefits:
can use any URIs in the “local-part”, thus existing eduPersonEntitlement values as well
scope can be verified by using existing code in Shibboleth&SimpleSAMLphp. They can also handle multiple occurrence of the delimiter character.
Gotchas:
- the whole edupersonScopedEntitlement is NOT a URI, because the position of ‘@’ delimiter is reserved in RFC 2396