...
operator(string) (defaults to "AND")- Must be set to one of "AND" or "OR", this controls the evaluation of the various rules embedded in the element. If set to "AND", the first rule to return a non-true result ends the evaluation. If set to "OR", the first rule to return a true result ends the evaluation.
Child Elements
TimeSinceAuthn<TimeSinceAuthn>(zero or more) (ISO 8601 duration, e.g., "PT1H" = 1 hour)- The content of this element is an duration value, and the rule evaluates to "true" iff the time between now and the time of authentication for a session does not exceed the duration.
For the remainder of the rules supported, one of a set of relational operators must be supplied, followed by a value to test, separated by whitespace. The operators supported are LT, LE, EQ, GE, and GT, representing "less than", "less than or equal", etc.
Time<Time>(zero or more) (operator followed by ISO 8601 time string)- Performs an absolute comparison between the present time and the time specified in the rule using the supplied operator. For example, "LE 2012-05-24T10:00:00Z" means "less than or equal to May 24, 2012 at 10:00AM UTC time". Time values can be specified in local or UTC time in standard ISO 8601 fashion.
Year<Year>,Month<Month>,Day<Day>,Hour<Hour>,Minute<Minute>,Second<Second>,DayOfWeek<DayOfWeek>(zero or more) (operator followed by numeric value)- Performs a comparison between a particular portion of the current time and the value specified in the rule using the supplied operator. Months are numbered from 1-12, hours from 0-23, and days of the week from 0-6 (Sunday being 0).
...