Conditions Rule
- Rod Widdowson
- Takeshi Nishimura
Identified by type="Conditions", this rule processes SAML 1.x and 2.0 "condition" elements found in assertions, which control the circumstances under which they may be accepted by the SP for use. In the absence of this rule, any conditions found will result in rejection of an assertion.
This rule also enforces the NotBefore and NotOnOrAfter attributes accompanying the assertion, if any.
If no child elements are supplied, the plugin will install itself with a default set of rules equivalent to the example
Child Elements
Name | Cardinality | Description | |
|---|---|---|---|
<PolicyRule> | 0 or more | Supplies one or more rules to apply to any conditions found in the assertion being evaluated. In the event that a condition is unrecognized by all of them, the surrounding rule will reject the assertion. | |
Example
Default settings for Condition PolicyRule
<PolicyRule type="Conditions" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<PolicyRule type="Audience"/>
<PolicyRule type="Ignore">saml:DoNotCacheCondition</PolicyRule>
<PolicyRule type="Ignore">saml2:OneTimeUse</PolicyRule>
<PolicyRule type="Ignore">saml2:ProxyRestriction</PolicyRule>
</PolicyRule>