The <AccessControl>
element is the root of an XML-based access control policy that prevents access to a resource unless the user's session satisfies the policy. It's a simple, boolean-capable language provided as an example of how to implement an access control plugin.
Code Block | ||||
---|---|---|---|---|
| ||||
<AccessControl>
<AND>
<Rule require="affiliation">faculty@osu.edu student@osu.edu</Rule>
<NOT>
<Rule require="user">cantor.2@osu.edu</Rule>
</NOT>
<OR>
<Rule require="authnContextClassRef">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</Rule>
<Rule require="authnContextClassRef">urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</Rule>
</OR>
</AND>
</AccessControl>
|
The example above would enforce a policy that allows only Ohio State faculty or students, other than a single blacklisted person, if they have authenticated with a password or a time-synchronized token.
Note | |||||||
---|---|---|---|---|---|---|---|
If you are using the AccessControl element in an external file outside of shibboleth2.xml, you may have to add the "type" attribute shown below.
|
Child Elements
Any one (and only one) of the following elements can appear:
...