The <PolicyRule>
element configures a plugin used to enforce a security policy requirement or to provide for a particular kind of authentication technology.
In versions prior to 2.2, this element was named |
During message processing, at least one rule must successfully authenticate a message or it will be rejected.
type
(string)
Identified by type="MessageFlow"
, this rule enforces replay detection and freshness requirements to prevent replay attacks.
<PolicyRule type="MessageFlow" checkReplay="true" expires="60"/> |
checkReplay
(boolean) (defaults to true)
expires
(time in seconds)
Identified by type="ClientCertAuth"
, enables TLS/SSL client certificate authentication for back-channel SOAP communication to the SP.
<PolicyRule type="ClientCertAuth" errorFatal="true"/> |
errorFatal
(boolean) (defaults to false)
Identified by type="XMLSigning"
, enables XML signature authentication of messages and assertions.
<PolicyRule type="XMLSigning" errorFatal="true"/> |
errorFatal
(boolean) (defaults to false)
Identified by type="SimpleSigning"
, enables "simple" signature authentication of messages. A simple signature is a bulk signature over the raw content of a message, rather than embedded inside the message.
<PolicyRule type="SimpleSigning" errorFatal="true"/> |
errorFatal
(boolean) (defaults to false)
Identified by type="Conditions"
, processes SAML 1.x and 2.0 "condition" elements found in assertions, which control the circumstances under which they may be accepted by the SP for use. In the absence of this rule, any conditions found will result in rejection of an assertion.
This rule also enforces the NotBefore
and NotOnOrAfter
attributes accompanying the assertion, if any.
If no child elements are supplied, the plugin will install itself with a default set of rules equivalent to the following:
<PolicyRule type="Conditions" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <PolicyRule type="Audience"/> <PolicyRule type="Ignore">saml:DoNotCacheCondition</PolicyRule> <PolicyRule type="Ignore">saml2:OneTimeUse</PolicyRule> <PolicyRule type="Ignore">saml2:ProxyRestriction</PolicyRule> </PolicyRule> |
<PolicyRule>
(zero or more)
Identified by type="Audience"
, processes SAML 1.x and 2.0 "AudienceRestriction" conditions. The set of allowed "audience" values are normally supplied within the rule configuration or can be supplied by unspecified means (e.g., the SP will normally ensure that its own entityID is an allowable value without special setup).
<PolicyRule type="Audience"/> |
<saml:Audience>
(zero or more)
<ApplicationDefaults>
or <ApplicationOverride>
element. Rarely required during normal use.Identified by type="Delegation"
, processes SAML 2.0 "DelegationRestriction" conditions. A rule can either generically permit delegation, or require specific delegates with a variety of matching options.
<PolicyRule type="Delegation" match="oldest" xmlns:del="urn:oasis:names:tc:SAML:2.0:conditions:delegation" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <del:Delegate> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal.example.org/shibboleth</saml:NameID> </del:Delegate> <del:Delegate ConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal2.example.org/shibboleth</saml:NameID> </del:Delegate> <del:Delegate> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal3.example.org/shibboleth</saml:NameID> </del:Delegate> </PolicyRule> |
match
(optional, one of "anyOrder", "oldest", "newest") (defaults to "anyOrder")
maxTimeSinceDelegation
(optional) (time in seconds)
<del:Delegate>
(zero or more)
match
attribute. If none are included, any delegates found in the assertion will be accepted. Only delegates identified with <saml:NameID>
elements are supported. An optional ConfirmationMethod
attribute can be included, and if present, the same value must be found in the <del:Delegate>
element in an assertion for a match to take place.Identified by type="Ignore"
, signals to a containing Conditions
rule (see above) that a condition has been understood and should not affect the processing of an assertion. Many condition types do not affect validity per se, but all SAML conditions require explicit acknowledgement and acceptance of their semantics.
The content of this element is an XML QName identifying the XML element or schema type of a SAML condition to ignore and treat as successfully processed.
<PolicyRule type="Ignore" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">saml2:ProxyRestriction</PolicyRule> |
Identified by type="SAML1BrowserSSO"
, enforces the general assertion requirements of the SAML 1.x Browser SSO profile. Normally not used explicitly, this rule is applied automatically to any policy running inside an AssertionConsumerService that implements the profile.
Identified by type="Bearer"
, allows a SAML 2.0 assertion with the "bearer" subject confirmation method to be accepted when possible. Normally not used explicitly, this rule is applied automatically to any policy running inside an AssertionConsumerService that implements SAML 2.0 profiles that make use of this confirmation type.
checkValidity
(boolean) (defaults to true)
<SubjectConfirmationData>
element must include a NotOnOrAfter
attribute, and both it and the optional NotBefore
attribute are checked for validity.checkRecipient
(boolean) (defaults to true)
<SubjectConfirmationData>
element's Recipient
attribute is checked against that value. If no attribute is present, this setting has no affect.checkCorrelation
(boolean) (defaults to true)
<SubjectConfirmationData>
element's InResponseTo
attribute is checked against that value. If no attribute is present, this setting has no affect.missingFatal
(boolean) (defaults to true)
<SubjectConfirmation>
element is treated as a fatal error. Otherwise, the rule signals nothing was found but does not fail. Can be set to allow for stacking of rules based on multiple confirmation methods.Identified by type="NullSecurity"
, enables debugging by disabling security and permitting unauthenticated messages to pass successfully into higher layers.
<PolicyRule type="NullSecurity"/> |
Do NOT use this rule in production, as it will leave your system vulnerable to attackers. |