The <Rule> element defines a specific access control requirement.


  • require (string)
    • One of a set of predefined "aliases", or the ID/alias of an attribute to examine. The predefined aliases are:
      • valid-user
        • A rule that requires an authenticated session, but nothing else.
      • user
        • A rule based on the REMOTE_USER identity for the request.
      • authnContextClassRef
        • A rule based on the SAML authentication context class or method asserted by the IdP.
      • authnContextDeclRef
        • A rule based on the SAML authentication context declaration asserted by the IdP.
  • list (boolean) (defaults to true)
    • Enables "list" processing on the element's content. If false, the element content is treated as a single value; otherwise, it's a space-delimited list of values.

Element Content

The element's content consists of the data to use as input to the rule. Multiple values can be supplied in a space-separated list, making the rule an implicit <OR>.