Overview

The IdP includes a number of administrative functions, and a simple access control facility has been provided to limit access without requiring additional web server configuration. While Apache is typically pretty simple to use for this purpose, Java containers tend to be much less simple to configure in this manner and many if not most deployments don't use Apache.

This facility supports the creation of named policies that implement particular access control rules, so that the policies can be shared and attached by name to particular services. The original policy implementation supplied relies on IP range controls. V3.3 introduces an adapter allowing use of arbitrary Predicate conditions to be applied, including scripts or Spring Expressions.

As a reloadable service, you can modify named policies at runtime and as long as the policy names don't change, the rule changes will take effect without restarting the IdP.

Creating and Applying Rules

The access-control.xml file contains a bean called shibboleth.AccessControlPolicies that is a map of policy names to beans implementing particular access control strategies. You can follow the example provided to alter the existing policy or create your own.

As of V3.3, the policies defined here are primarily applied to administrative functions via the admin.xml file.

The AccessControl API is implemented based on three inputs:

a ServletRequest performing
an operation over
a resource

Each use case for the API defines its own notion of operation and resource to fit its requirements, and an implementation of the API has to understand that notion to be useful, or be generic enough to ignore them (e.g. a rule based on IP address).

Reference

Beans

Beans defined in access-control.xml and related system files follow:

Bean ID	Type	Function
shibboleth.AccessControlPolicies	Map<String,AccessControl>	Map of policy names to access control objects/rules
shibboleth.IPRangeAccessControl	IPRangeAccessControl	Parent bean for creating IP range checking access control rules
shibboleth.PredicateAccessControl ^3.3	PredicateAccessControl	Parent bean for creating Predicate-based access control rules

V2 Compatibility

The only comparable V2 feature was to put acceptable IP ranges for the status handler directly into web.xml. This feature replaces that approach.

Notes

TBD

Browser not supported