diff --git a/modules/core/docs/authproc_pairwiseid.md b/modules/core/docs/authproc_pairwiseid.md
index 0fe15914c3ee2264af95614d6d42bb3ebbfd8041..75b20209ff3a32a9e8c32adb63084b8122aeee0c 100644
--- a/modules/core/docs/authproc_pairwiseid.md
+++ b/modules/core/docs/authproc_pairwiseid.md
@@ -7,6 +7,10 @@ http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-at
 This filter will take an attribute and a scope as input and transforms this into a anonymized and scoped
 identifier that is globally unique for a given user & service provider combination.
 
+Note:
+Since the subject-id is specified as single-value attribute, only the first value of `identifyingAttribute`
+ and `scopeAttribute` are considered.
+
 Examples
 --------
 
diff --git a/modules/core/docs/authproc_subjectid.md b/modules/core/docs/authproc_subjectid.md
index b29446f3b268ad351b28f80bf71e81938f3461ce..85347c2ca622be00251cb7088ef05b88db9e3b4e 100644
--- a/modules/core/docs/authproc_subjectid.md
+++ b/modules/core/docs/authproc_subjectid.md
@@ -10,6 +10,10 @@ Note:
 -----
 If privacy is of your concern, you may want to use the PairwiseID-filter instead.
 
+Note:
+Since the subject-id is specified as single-value attribute, only the first value of `identifyingAttribute`
+ and `scopeAttribute` are considered.
+
 Examples
 --------
 
diff --git a/modules/core/lib/Auth/Process/PairwiseID.php b/modules/core/lib/Auth/Process/PairwiseID.php
index caf281e9c2a6003dd5768e76c70ebefdfad563f9..b404491f674729630e64d1cfc563b9146cf122fc 100644
--- a/modules/core/lib/Auth/Process/PairwiseID.php
+++ b/modules/core/lib/Auth/Process/PairwiseID.php
@@ -20,6 +20,9 @@ use SimpleSAML\Utils;
  * This is generated from the attribute configured in 'identifyingAttribute' in the
  * authproc-configuration.
  *
+ * NOTE: since the subject-id is specified as single-value attribute, only the first value of `identifyingAttribute`
+ *       and `scopeAttribute` are considered.
+ *
  * Example - generate from attribute:
  * <code>
  * 'authproc' => [
diff --git a/modules/core/lib/Auth/Process/SubjectID.php b/modules/core/lib/Auth/Process/SubjectID.php
index 45233a09626e1d130da091f9d201504660d619ee..5bd3b1cca3780acb50bc585479956f4546bd1461 100644
--- a/modules/core/lib/Auth/Process/SubjectID.php
+++ b/modules/core/lib/Auth/Process/SubjectID.php
@@ -21,6 +21,9 @@ use SimpleSAML\Logger;
  * This is generated from the attribute configured in 'identifyingAttribute' in the
  * authproc-configuration.
  *
+ * NOTE: since the subject-id is specified as single-value attribute, only the first value of `identifyingAttribute`
+ *       and `scopeAttribute` are considered.
+ *
  * Example - generate from attribute:
  * <code>
  * 'authproc' => [
@@ -167,6 +170,13 @@ class SubjectID extends Auth\ProcessingFilter
 
         $scope = $state['Attributes'][$this->scopeAttribute][0];
         Assert::stringNotEmpty($scope, 'core' . static::NAME . ': \'scopeAttribute\' cannot be an empty string.');
+
+        // If the value is scoped, extract the scope from it
+        if (strpos($scope, '@') !== false) {
+            $scope = explode('@', $scope, 2);
+            $scope = $scope[1];
+        }
+
         Assert::regex(
             $scope,
             self::SCOPE_PATTERN,
diff --git a/tests/modules/core/lib/Auth/Process/PairwiseIDTest.php b/tests/modules/core/lib/Auth/Process/PairwiseIDTest.php
index 0ba2919417cf4cd591ff8b9f83f17e2bcaa23a48..daa32fc4b3fcbdaabfe509f0bec4abf0f40a6f0e 100644
--- a/tests/modules/core/lib/Auth/Process/PairwiseIDTest.php
+++ b/tests/modules/core/lib/Auth/Process/PairwiseIDTest.php
@@ -97,6 +97,30 @@ class PairwiseIDTest extends TestCase
     }
 
 
+    /**
+     * Test the most basic functionality, but with a scoped scope-attribute
+     */
+    public function testBasicScopedScope(): void
+    {
+        $config = ['identifyingAttribute' => 'uid', 'scopeAttribute' => 'scope'];
+        $request = [
+            'Attributes' => ['uid' => ['u=se-r2'], 'scope' => ['u=se-r2@ex-ample.org']],
+            'core:SP' => 'urn:sp',
+        ];
+        $result = self::processFilter($config, $request);
+        $attributes = $result['Attributes'];
+        $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+        $this->assertMatchesRegularExpression(
+            PairwiseID::SPEC_PATTERN,
+            $attributes[Constants::ATTR_PAIRWISE_ID][0]
+        );
+        $this->assertEquals(
+            '53d4f7fe57fb597ada481e81e0f15048bc610774cbb5614ea38f08ea918ba199@ex-ample.org',
+            $attributes[Constants::ATTR_PAIRWISE_ID][0]
+        );
+    }
+
+
     /**
      * Test the most basic functionality on proxied request
      */
diff --git a/tests/modules/core/lib/Auth/Process/SubjectIDTest.php b/tests/modules/core/lib/Auth/Process/SubjectIDTest.php
index 62769234d756b7cbcf6d57d69b2693b4d80b68ff..f090ffcc2f31578411c9614df17b206e627cdc7c 100644
--- a/tests/modules/core/lib/Auth/Process/SubjectIDTest.php
+++ b/tests/modules/core/lib/Auth/Process/SubjectIDTest.php
@@ -81,6 +81,26 @@ class SubjectIDTest extends TestCase
     }
 
 
+    /**
+     * Test the most basic functionality, but with a scoped scope-attribute
+     */
+    public function testScopedScope(): void
+    {
+        $config = ['identifyingAttribute' => 'uid', 'scopeAttribute' => 'scope'];
+        $request = [
+            'Attributes' => ['uid' => ['u=se-r2'], 'scope' => ['u=se-r2@ex-ample.org']],
+        ];
+        $result = self::processFilter($config, $request);
+        $attributes = $result['Attributes'];
+        $this->assertArrayHasKey(Constants::ATTR_SUBJECT_ID, $attributes);
+        $this->assertMatchesRegularExpression(
+            SubjectID::SPEC_PATTERN,
+            $attributes[Constants::ATTR_SUBJECT_ID][0]
+        );
+        $this->assertEquals('u=se-r2@ex-ample.org', $attributes[Constants::ATTR_SUBJECT_ID][0]);
+    }
+
+
     /**
      * Test that illegal characters in userID throws an exception.
      */