Policy

Overview

Each <Policy> element contains a couple of general settings and a configurable set of "rules" that implement particular protections and peer authentication mechanisms. You don't have to worry too much in general about unsafe behavior because if something disables all of the rules for authenticating a message, the system simply rejects it.

Reference

Attributes

Name

Type

Default

Description

Name

Type

Default

Description

id 

XML ID



Uniquely names this policy within the configuration

validate 

boolean

false

Enables or disables schema validation of XML when parsing messages at runtime. Includes all SAML and SOAP messages.

Child Elements

Name

Cardinality

Description

Name

Cardinality

Description

<PolicyRule>

1 or more

Security policy rules to apply

Example

The default policy for dealing with SAML messages, in English, is:

  1. Don't schema validate.

  2. Check for replay, and reject messages older than 60 seconds in the past.

  3. Honor any SAML <Condition> elements, including timestamps, and make sure the SP sees itself as an audience for any assertions. Reject any other conditions as unrecognized.

  4. Allow a message to be authenticated by checking for a TLS client certificate, an XML signature, and a "blob"-type signature, in that order. Anything present that can't be validated is fatal. Validation is based on the configured <TrustEngine>(s).

<Policy id="default" validate="false"> <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/> <PolicyRule type="Conditions"> <PolicyRule type="Audience"/> <!-- Enable Delegation rule to permit delegated access. --> <!-- <PolicyRule type="Delegation"/> --> </PolicyRule> <PolicyRule type="ClientCertAuth" errorFatal="true"/> <PolicyRule type="XMLSigning" errorFatal="true"/> <PolicyRule type="SimpleSigning" errorFatal="true"/> </Policy>