The Shibboleth IdP V4 software will leave support on September 1, 2024.


Current File(s): conf/access-control.xml
Format: Native Spring


The IdP includes a number of administrative functions, and a simple access control facility has been provided to limit access without requiring additional web server configuration. While Apache is typically pretty simple to use for this purpose, Java containers tend to be much less simple to configure in this manner and many if not most deployments don't use Apache.

This facility supports the creation of named policies that implement particular access control rules, so that the policies can be shared and attached by name to particular services. The original policy implementation supplied relies on IP range controls. An adapter is also provided allowing arbitrary Predicate conditions to be applied, including scripts or Spring Expressions.

As a reloadable service, you can modify named policies at runtime and as long as the policy names don't change, the rule changes will take effect without restarting the IdP.

Creating and Applying Rules

The access-control.xml file contains a bean called shibboleth.AccessControlPolicies that is a map of policy names to beans implementing particular access control strategies. You can follow the example provided to alter the existing policy or create your own.

The policies defined here are primarily applied to administrative functions via the conf/admin.xml file.

The AccessControl API is implemented based on three inputs:

  • a ServletRequest performing

  • an operation over

  • a resource

Each use case for the API defines its own notion of operation and resource to fit its requirements, and an implementation of the API has to understand that notion to be useful, or be generic enough to ignore them (e.g. a rule based on IP address).


Beans defined in access-control.xml and related system files follow:

Bean ID



Bean ID





Map of policy names to access control objects/rules



Parent bean for creating IP range checking access control rules



Parent bean for creating Predicate-based access control rules