The <SecurityPolicyProvider> element confugures the component that guides the low-level security and XML processing performed during the runtime operation of the SP. Many different protocols and profiles can be handled by a Shibboleth SP. The various security checks that are performed can vary across and within these profiles but can generally be implemented by a common set of rules. There are also policy controls that allow certain algorithms to be turned on and off in response to vulnerabilities.

The required type attribute specifies the plugin type; currently only one type, XML, is available, documented here.

XML SecurityPolicyProvider

Identified by type="XML", this SecurityPolicyProvider implements a custom XML syntax for expressing security processing and policy rules for different protocols and profiles, and for enabling and disabling algorithms.

It's configuration is implemented as a reloadable XML resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly. The root of the XML in any of those cases MUST be a <SecurityPolicies> element, either as a child element in an existing file or the root of a different file

By default, it's supplied in a separate file (security-policy.xml) because the settings are rarely altered. In some deployments it could be advantageous to consider supplying a centrally-hosted signed file consumed by a large number of systems, to allow for centrally-maintained algorithm policy.



Aside from the type="XML" attribute itself, there is no other attribute content specific to this plugin type.

It supports all of the attributes common to all reloadable configuration resources:

Child Elements

The following child element must be provided, either inline, or as the root element of a local or remote XML resource to load from, which would be specified via the attribute(s) above.









Root element of configuration

When a non-inline configuration is used, it supports the following child elements common to all reloadable configuration resources.


<!-- Policies that determine how to process and authenticate runtime messages. --> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>