...
schacHomeOrganization - include in the R&S bundle or not?
Christos has the requirement to know what organization as user is coming from. Scopes from scoped eduPerson attribtues may not give the necessary "assurance". In one collaboration, this is used to construct the user id. We would need to be able to say that scope always maps to the domain of the organization. There is a complication that most organizations have more than one domain name (though that affects attributes "scopes" equally as sHO).
Scope is similar to sHO, and there are some situations where there is a school may have departments with their own domain name (e.g., harvard.edu has a central IdP, but Sloan Harvard Business School (hbs.edu) is part of Harvard and has its own domain name)
the subject-id is scoped in SAML; you will likely get the "one true public suffix" that the organization uses from that in most cases
Organizational identity has been an issue for a long time now (DNS domains are just a stand-in for solving the real problem)
What is the extent of the use case that having this would impact? Does every IdP in the world need to start supporting SCHAC to solve this for the given set of SPs? The growth of eduID systems may see the requirement for this grow. If we can put in R&S that the scope represents the organization, then it doesn't need to be sHO.
- Many academic federations, including the largest one on the planet (UKf) that also has the most publishers registered, have been using the scope from ePSA as a contract identifier of sorts (to manage access to institutionally licensed resources) for a long time now. The claim that the "scope" portion of ePSA (or of other attributes defined as "scoped") does not properly identify those instituitions seems unfounded that way.
Next steps
Focus on the OIDC section
Come back to the need for organization info (scope? schacHomeOrganization?) if not resolve on the list
...