An Authentication contains a Principal with Attributes.
The Attributes may be merged from many different sources. Each source may be keyed by a different Subject name.
We propose initially the SAML model that attributes have three main fields:
A name which is typically some ugly long unique name in the form you would find in an LDAP schema. In universities, the names typically come from the EduPerson standard.
A set of values. It is a set because one person may have several phone numbers, several E-Mail addresses, and several eduPersonAffiliations. He may, for example, be both a student and an employee.
A scope. This is a limited method for an Attribute to identify its source. Typically the scope is determined from the source of the attribute. Its use is most obvious with cross-institutional authentication. A tenured faculty member from Yale is visting L'Ecole du Temps Perdue to do research on Recherche. He ends up with both Yale and ETP credentials which, because they are both EduPerson based, have identical names but different scopes.
Except for scope, a credential has no link back to its source nor is it associated with any particular Subject Entry. The attributes are a bucket and contain all the information about a person from all sources.
It is supposed to be a feature of the Shibboleth configuation to verify the validity of the scopes it presents. The Shibboleth AuthHandle may simply assume that Shibboleth is doing it right, or it may try to check their validity.
Within an instutition, scope may identify a particular institutional data source, such as the "student system" or "HR". This may be necessary in other schools which, unlike Yale, do not have database rules in place that are supposed to guarantee consistency of data across sources.