Delegation Rule

Owned by Rod Widdowson
Last updated: Dec 06, 2021
2 min read

Identified by type="Delegation", this rule processes SAML 2.0 "DelegationRestriction" conditions. A rule can either generically permit delegation, or require specific delegates with a variety of matching options.

Namespaces

This page refers to several different namespaces as detailed below

Namespace

URI

Description

Namespace

URI

Description

del

urn:oasis:names:tc:SAML:2.0:conditions:delegation

SAML2 Condition for Delegation Restriction namespace

saml

urn:oasis:names:tc:SAML:2.0:assertion

SAML2 assertionnamespace

Attributes

Name

Type

Default

Description

Name

Type

Default

Description

match 

optional, one of
"anyOrder", "oldest", "newest"

"anyOrder",

Sets the matching policy for the rule, if there are child elements supplied. "anyOrder" means that every delegate in an assertion must be listed in the rule, in any order. "oldest" means that the delegates in the assertion must include the delegates listed in the rule, in order, starting from the beginning/top of the list. "newest" reverses the order of the matching process, starting from the bottom of the list in the assertion and working backward. With an ordered comparison, additional delegates may be in the assertion once the match is complete.

maxTimeSinceDelegation

time in seconds



If set, requires that any delegates include an associated time stamp indicating when delegation occurred and enforces a maximum period between the act and the current time.

Child Elements



Name

Cardinality

Description

Name

Cardinality

Description

<del:Delegate>

0 or more

Supplies delegates to match with the content of the assertion, using the policy specified in the match attribute. If none are included, any delegates found in the assertion will be accepted. Only delegates identified with <saml:NameID> elements are supported. An optional ConfirmationMethod attribute can be included, and if present, the same value must be found in the <del:Delegate> element in an assertion for a match to take place

Example

<PolicyRule type="Delegation" match="oldest" xmlns:del="urn:oasis:names:tc:SAML:2.0:conditions:delegation" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <del:Delegate> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal.example.org/shibboleth</saml:NameID> </del:Delegate> <del:Delegate ConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal2.example.org/shibboleth</saml:NameID> </del:Delegate> <del:Delegate> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal3.example.org/shibboleth</saml:NameID> </del:Delegate> </PolicyRule>