Delegation Rule
Identified by type="Delegation"
, this rule processes SAML 2.0 "DelegationRestriction" conditions. A rule can either generically permit delegation, or require specific delegates with a variety of matching options.
Namespaces
This page refers to several different namespaces as detailed below
Namespace | URI | Description |
---|---|---|
del | urn:oasis:names:tc:SAML:2.0:conditions:delegation | |
saml | urn:oasis:names:tc:SAML:2.0:assertion | SAML2 assertionnamespace |
Attributes
Name | Type | Default | Description |
---|---|---|---|
match | optional, one of | "anyOrder", | Sets the matching policy for the rule, if there are child elements supplied. "anyOrder" means that every delegate in an assertion must be listed in the rule, in any order. "oldest" means that the delegates in the assertion must include the delegates listed in the rule, in order, starting from the beginning/top of the list. "newest" reverses the order of the matching process, starting from the bottom of the list in the assertion and working backward. With an ordered comparison, additional delegates may be in the assertion once the match is complete. |
maxTimeSinceDelegation | time in seconds | If set, requires that any delegates include an associated time stamp indicating when delegation occurred and enforces a maximum period between the act and the current time. |
Child Elements
Name | Cardinality | Description | |
---|---|---|---|
<del:Delegate> | 0 or more | Supplies delegates to match with the content of the assertion, using the policy specified in the match attribute. If none are included, any delegates found in the assertion will be accepted. Only delegates identified with <saml:NameID> elements are supported. An optional ConfirmationMethod attribute can be included, and if present, the same value must be found in the <del:Delegate> element in an assertion for a match to take place |
Example
<PolicyRule type="Delegation" match="oldest"
xmlns:del="urn:oasis:names:tc:SAML:2.0:conditions:delegation"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<del:Delegate>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal.example.org/shibboleth</saml:NameID>
</del:Delegate>
<del:Delegate ConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal2.example.org/shibboleth</saml:NameID>
</del:Delegate>
<del:Delegate>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal3.example.org/shibboleth</saml:NameID>
</del:Delegate>
</PolicyRule>