...
Format: <anyUri>@<scope>
<scope>: DNS domain something (could be a domain name) that is associated with the issuing entity in metadata (shibmd:Scope)- not the same scope that we use for eppn
<anyUri>: any valid URI.
Examples:
urn:mace:dir:entitlement:common-lib-terms@terms@hexaa.eduid.hu
urn:geant:niif.hu:hexaa:projectfoo:bar@hexaa.eduid.hu
...
can use any URIs in the “local-part”, thus existing eduPersonEntitlement values as well
scope can be verified by using existing code in Shibboleth&SimpleSAMLphp. They can also handle multiple occurrence of the delimiter character.
Gotchas:
the whole edupersonScopedEntitlement is NOT a URI, because the position of ‘@’ delimiter is reserved in RFC 2396
Note RFC 2396 was obsoleted by RFC 3986