Conditions Rule

Identified by type="Conditions", this rule processes SAML 1.x and 2.0 "condition" elements found in assertions, which control the circumstances under which they may be accepted by the SP for use. In the absence of this rule, any conditions found will result in rejection of an assertion.

This rule also enforces the NotBefore and NotOnOrAfter attributes accompanying the assertion, if any.

If no child elements are supplied, the plugin will install itself with a default set of rules equivalent to the example

Child Elements

Name

Cardinality

Description

Name

Cardinality

Description

<PolicyRule>

0 or more

Supplies one or more rules to apply to any conditions found in the assertion being evaluated. In the event that a condition is unrecognized by all of them, the surrounding rule will reject the assertion.

Example

Default settings for Condition PolicyRule
<PolicyRule type="Conditions" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <PolicyRule type="Audience"/> <PolicyRule type="Ignore">saml:DoNotCacheCondition</PolicyRule> <PolicyRule type="Ignore">saml2:OneTimeUse</PolicyRule> <PolicyRule type="Ignore">saml2:ProxyRestriction</PolicyRule> </PolicyRule>