Identified by type="Bearer", this rule allows a SAML 2.0 assertion with the "bearer" subject confirmation method to be accepted when possible. Normally not used explicitly, this rule is applied automatically to any policy running inside an AssertionConsumerService that implements SAML 2.0 profiles that make use of this confirmation type.
Attributes
Name | Type | Default | Description |
|---|
checkValidity checkValidity | boolean | true | When true, the |
<SubjectConfirmationData> element enclosed <SubjectConfirmationData> element must include |
NotOnOrAfter attributea NotOnOrAfter attribute, and both it and the |
NotBefore attribute optional NotBefore attribute are checked for validity. |
checkRecipient checkRecipient | boolean | true | When true, and the URL to which the assertion was submitted is available, |
<SubjectConfirmationData> element's Recipient attribute the <SubjectConfirmationData> element's Recipient attribute is checked against that value. If no attribute is present, this setting has no effect. |
checkCorrelation checkCorrelation | boolean | false | Enables request/response correlation checking based on use of a cookie to track request IDs, subsequently recovered to compare to the InResponseTo attribute in the |
<SubjectConfirmationData> element<SubjectConfirmationData> element. This setting previous defaulted to "true" but had no effect because there was no supporting request tracking implementation. This is now implemented, but the default has been reversed for compatibility with existing behavior. | |||
blockUnsolicited 3.1 | boolean | false | Enables the checkCorrelation option and adds rejection of any message with an empty InResponseTo attribute |
Example
| Code Block | ||
|---|---|---|
| ||
<PolicyRule type="Bearer" blockUnsolicited="true" /> |
...