The IdP includes a number of administrative functions, and a simple access control facility has been provided to limit access without requiring additional web server configuration. While Apache is typically pretty simple to use for this purpose, Java containers tend to be much less simple to configure in this manner and many if not most deployments don't use Apache.
This facility supports the creation of named policies that implement particular access control rules, so that the policies can be shared and attached by name to particular services. The original policy implementation supplied relies on IP range controls. An adapter is also provided allowing arbitrary Predicate conditions to be applied, including scripts or Spring Expressions.
As a reloadable service, you can modify named policies at runtime and as long as the policy names don't change, the rule changes will take effect without restarting the IdP.
Creating and Applying Rules
The access-control.xml file contains a bean called shibboleth.AccessControlPolicies that is a map of policy names to beans implementing particular access control strategies. You can follow the example provided to alter the existing policy or create your own.
The policies defined here are primarily applied to administrative functions via the conf/admin.xml file.
Each use case for the API defines its own notion of operation and resource to fit its requirements, and an implementation of the API has to understand that notion to be useful, or be generic enough to ignore them (e.g. a rule based on IP address).
Beans defined in access-control.xml and related system files follow: