The Shibboleth IdP V4 software will leave support on September 1, 2024.

AccessControlConfiguration

Current File(s): conf/access-control.xml
Format: Native Spring

Overview

The IdP includes a number of administrative functions, and a simple access control facility has been provided to limit access without requiring additional web server configuration. While Apache is typically pretty simple to use for this purpose, Java containers tend to be much less simple to configure in this manner and many if not most deployments don't use Apache.

This facility supports the creation of named policies that implement particular access control rules, so that the policies can be shared and attached by name to particular services. The original policy implementation supplied relies on IP range controls. An adapter is also provided allowing arbitrary Predicate conditions to be applied, including scripts or Spring Expressions.

As a reloadable service, you can modify named policies at runtime and as long as the policy names don't change, the rule changes will take effect without restarting the IdP.

Creating and Applying Rules

The access-control.xml file contains a bean called shibboleth.AccessControlPolicies that is a map of policy names to beans implementing particular access control strategies. You can follow the example provided to alter the existing policy or create your own.

The policies defined here are primarily applied to administrative functions via the conf/admin.xml file.

The AccessControl API is implemented based on three inputs:

  • a ServletRequest performing

  • an operation over

  • a resource

Each use case for the API defines its own notion of operation and resource to fit its requirements, and an implementation of the API has to understand that notion to be useful, or be generic enough to ignore them (e.g. a rule based on IP address).

Reference

Beans defined in access-control.xml and related system files follow:

Bean ID

Type

Description

Bean ID

Type

Description

shibboleth.AccessControlPolicies

Map<String,AccessControl>

Map of policy names to access control objects/rules

shibboleth.IPRangeAccessControl

IPRangeAccessControl

Parent bean for creating IP range checking access control rules

shibboleth.PredicateAccessControl

PredicateAccessControl

Parent bean for creating Predicate-based access control rules