...
Name | Cardinality | Description |
|---|---|---|
<Rule> | A single access rule to enforce. | |
<RuleRegex> | A single regular expression access rule to enforce. | |
| <OR> | Exactly one | An operator for combining any number of rules or operators with a disjunction. |
| <AND> | An operator for combining any number of rules or operators with a conjunction. | |
| <NOT> | An operator for reversing the meaning of a single rule or operator. |
Example
The basic example below would enforce a policy that the user logged in and supplied a SAML authn context class for a hardware token:
| Code Block | ||
|---|---|---|
| ||
<!-- Inside surrounding RequestMap... -->
<Path name="secure">
<AccessControl>
<Rule require="authnContextClassRef">urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</Rule>
</AccessControl>
</Path> |
The more complex example below would enforce a policy that allows only Ohio State faculty or students, other than a single blacklisted person, if they have authenticated with a password or a time-synchronized token.
...