Date: Fri, 29 Mar 2024 02:33:51 +0000 (UTC) Message-ID: <1748942324.11.1711679631340@27e03f5c4044> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_10_1546081895.1711679631340" ------=_Part_10_1546081895.1711679631340 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The <AccessControl>
element is the root of an=
XML-based access control policy that prevents access to a resource unless =
the user's session satisfies the policy. It's a simple, boolean-capable lan=
guage provided as an example of how to implement an access control plugin.<=
/p>
<Acce= ssControl> <AND> <Rule require=3D"affiliation">faculty@osu.edu student@osu.edu= </Rule> <NOT> <Rule require=3D"user">cantor.2@osu.edu</Rule> </NOT> <OR> <Rule require=3D"authnContextClassRef">urn:oasis:names:tc= :SAML:2.0:ac:classes:Password</Rule> <Rule require=3D"authnContextClassRef">urn:oasis:names:tc= :SAML:2.0:ac:classes:TimeSyncToken</Rule> </OR> </AND> </AccessControl>
The example above would enforce a policy that allows only Ohio State fac= ulty or students, other than a single blacklisted person, if they have auth= enticated with a password or a time-synchronized token.
If you are using the AccessControl element in an external file outside o= f shibboleth2.xml, you may have to add the "type" attribute shown below.
<Acce= ssControl type=3D"edu.internet2.middleware.shibboleth.sp.provider.XMLAccess= Control">
Any one (and only one) of the following elements can appear:
<Rule>
<RuleRegex>
<OR>
<AND>
<NOT>