The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.


The <SecurityPolicies> element is a container for one or more uniquely identified <Policy> elements that control low-level security and profile processing performed by the SP.

Custom security policies can be defined at the level of a specific application or protocol endpoint, but in most cases, the default policy is appropriate for all typical exchanges.


Each policy contains a variety of loosely related settings and a configurable set of "rules" that implement particular protections and peer authentication mechanisms.

<Policy id="foo" validate="false">
    <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
    <PolicyRule type="ClientCertAuth" errorFatal="true"/>
    <PolicyRule type="XMLSigning" errorFatal="true"/>
    <PolicyRule type="SimpleSigning" errorFatal="true"/>
    <PolicyRule type="Conditions"/>


  • id (XML ID)
    • Uniquely names this policy within the XML file.
  • validate (boolean) (defaults to false)
    • Enables or disables schema validation of XML when parsing messages at runtime. Includes all SAML and SOAP messages.

Child Elements

  • <Rule> (one or more)
    • Legacy syntax for security policy rules to use. Versions of the SP prior to 2.2 used this element, which accidentally conflicted with the same named element used in the access control syntax. It remains supported, but is deprecated.

Version 2.2 and Above