Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The last line essentially delegates the rules for disabling insecure algorithms to the software's defaults, allowing us to change them easily. The example dates to before V3.2, which has deprecated and renamed that element.

Code Block
<SecurityPolicies xmlns="urn:mace:shibboleth:3.0:native:sp:config">

    <!-- Each policy defines a set of rules to use to secure messages. -->

    The predefined policy enforces replay/freshness, standard
    condition processing, and permits signing and client TLS.
    <Policy id="default" validate="false">
        <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
        <PolicyRule type="Conditions">
            <PolicyRule type="Audience"/>
            <!-- Enable Delegation rule to permit delegated access. -->
            <!-- <PolicyRule type="Delegation"/> -->
        <PolicyRule type="ClientCertAuth" errorFatal="true"/>
        <PolicyRule type="XMLSigning" errorFatal="true"/>
        <PolicyRule type="SimpleSigning" errorFatal="true"/>

    This policy is a place-holder for use of assertions in metadata
    as a way of attaching signed information about particular IdPs.
    <Policy id="entity-attributes">
        <PolicyRule type="Conditions"/>
        <PolicyRule type="XMLSigning" errorFatal="true"/>
    <!-- Disables known weak algorithms. -->
    <AlgorithmBlacklist includeDefaultBlacklist="true"/>