The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

NativeSPAccessControlProvider

Owned by Scott Cantor
Last updated: May 24, 2012Version comment

The <AccessControlProvider> element configures a custom access control plugin that can be attached to content using the RequestMapper component.

Common Attributes

  • type (string)
    • Plugin type name.

XML AccessControl

Identified by type="XML", this is an example plugin that implements a simple access control language using XML. It supports combining rules with boolean operators.

The plugin is implemented as a reloadable resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly. The root of the XML instance MUST be an <AccessControl> element.

Attributes

Inherits attributes supported by reloadable resources.

Child Elements

Chaining AccessControl (Version 2.2 and Above)

Identified by type="Chaining", allows different types of plugins to run in combination.

Attributes

  • operator (string) (required)
    • Must be set to one of "AND" or "OR", this controls the evaluation of the child plugins in the expected fashion. If set to "AND", the first plugin to return a non-true result ends the evaluation. If set to "OR", the first plugin to return a true result ends the evaluation.

Child Elements

  • <AccessControlProvider> (one or more)
    • The plugins to chain together.

Time AccessControl (Version 2.5 and Above)

Identified by type="Time", supports time-based access control policies.

Simple booleans are supported natively but complex logic will usually require combining this with the Chaining plugin.

Example limiting hours of operation between 6:30AM and 5:00PM
<AccessControlProvider type="Chaining" operator="AND">

    <AccessControlProvider type="Chaining" operator="OR">
        <AccessControlProvider type="Time">
            <Hour>GT 6</Hour>
        </AccessControlProvider>
        <AccessControlProvider type="Time">
            <Hour>EQ 6</Hour>
            <Minute>GE 30</Minute>
        </AccessControlProvider>
    </AccessControlProvider>

    <AccessControlProvider type="Time">
        <Hour>LE 17</Hour>
    </AccessControlProvider>

</AccessControlProvider>

Attributes

  • operator (string) (defaults to "AND")
    • Must be set to one of "AND" or "OR", this controls the evaluation of the various rules embedded in the element. If set to "AND", the first rule to return a non-true result ends the evaluation. If set to "OR", the first rule to return a true result ends the evaluation.

Child Elements

  • <TimeSinceAuthn> (zero or more) (ISO 8601 duration, e.g., "PT1H" = 1 hour)
    • The content of this element is an duration value, and the rule evaluates to "true" iff the time between now and the time of authentication for a session does not exceed the duration.

For the remainder of the rules supported, one of a set of relational operators must be supplied, followed by a value to test, separated by whitespace. The operators supported are LT, LE, EQ, GE, and GT, representing "less than", "less than or equal", etc.

  • <Time> (zero or more) (operator followed by ISO 8601 time string)
    • Performs an absolute comparison between the present time and the time specified in the rule using the supplied operator. For example, "LE 2012-05-24T10:00:00Z" means "less than or equal to May 24, 2012 at 10:00AM UTC time". Time values can be specified in local or UTC time in standard ISO 8601 fashion.
  • <Year>, <Month>, <Day>, <Hour>, <Minute>, <Second>, <DayOfWeek> (zero or more) (operator followed by numeric value)
    • Performs a comparison between a particular portion of the current time and the value specified in the rule using the supplied operator. Months are numbered from 1-12, hours from 0-23, and days of the week from 0-6 (Sunday being 0).