When attribute has multiple @, split on the first one.

eduPerson recommends: 'Multiple "@" signs are not recommended, but in any case,
the first occurrence of the "@" sign starting from the left is to be taken as
the delimiter between components. Thus, user identifier is to the left,
security domain to the right of the first "@".'

Closes #236

modules/core/lib/Auth/Process/ScopeFromAttribute.php

@@ -81,10 +81,9 @@ class ScopeFromAttribute extends Auth\ProcessingFilter
 
         $sourceAttrVal = $attributes[$this->sourceAttribute][0];
 
-        /* the last position of an @ is usually the beginning of the
-         * scope string
-         */
-        $scopeIndex = strrpos($sourceAttrVal, '@');
+        /* Treat the first @ as usually the beginning of the scope
+         * string, as per eduPerson recommendation. */
+        $scopeIndex = strpos($sourceAttrVal, '@');
 
         if ($scopeIndex !== false) {
             $attributes[$this->targetAttribute] = [];

tests/modules/core/lib/Auth/Process/ScopeFromAttributeTest.php

@@ -93,8 +93,7 @@ class ScopeFromAttributeTest extends TestCase
 
 
     /**
-     * When multiple @ signs in attribute, should use last one.
-     * @return void
+     * When multiple @ signs in attribute, should use first one.
      */
     public function testMultiAt(): void
     {
@@ -109,7 +108,7 @@ class ScopeFromAttributeTest extends TestCase
         ];
         $result = self::processFilter($config, $request);
         $attributes = $result['Attributes'];
-        $this->assertEquals($attributes['scope'], ['example.com']);
+        $this->assertEquals($attributes['scope'], ['doe@example.com']);
     }