AccessControl, or Authorization, is technically outside the scope of the Shibboleth ServiceProvider software. It is sometimes considered to be a function of a ResourceManager, a component that intercepts requests for resources and decides whether to accept them or not. Often an application acts as its own ResourceManager by examining user attributes while processing requests. Most web servers provide an API for extending them with additional ResourceManager components (Shibboleth itself is implemented with such an API).

The SP software includes a limited ResourceManager component that supports the following features:

• Requiring an authenticated session (known to Shibboleth) based on the URL of a resource
• A plugin API (IAccessControl) for attaching AccessControl modules via the RequestMap facility, plus an XML-flavored sample
• Integration with native web server access control features using the plugin API (Apache only)

The first bullet is not really an AccessControl feature; it simply allows a declarative requirement for authentication based on the URL via the RequestMap facility. Note that the Apache commands supported (e.g. ShibRequireSession) are implemented as an extended RequestMap plugin that permits these settings to be declared either in the Apache configuration, .htaccess files, or ShibbolethXml.

The IAccessControl plugin API is the primary means of implementing AccessControl within Shibboleth itself. There are 2 implementations of the interface supplied with the source code:

• HtAccessControl
• XMLAccessControl

Others might of course be available in the future, possible from independent sources.